We use a few Juniper EX2300C and recently EX4100-F-12P switches where we have a need. Interesting issue with the EX4100-F-12P, it appears that you can power it over PoE. However, if you power it from a standard power supply you’ll get syslog messages indicating that there is a power supply failure. Junos seems to think because the switch isn’t being powered by PoE that there’s a power supply failure.

Mar 18 16:20:55  EX4100F chassisd[17857]: CHASSISD_SNMP_TRAP6: SNMP trap generated: Power Supply failed (jnxContentsContainerIndex 2, jnxContentsL1Index 1, jnxContentsL2Index 2, jnxContentsL3Index 0, jnxContentsDescr Power Supply 1 @ 0/1/*, jnxOperatingState 6)
Mar 18 16:20:55  EX4100F chassisd[17857]: CHASSISD_SNMP_TRAP6: SNMP trap generated: Power Supply failed (jnxContentsContainerIndex 2, jnxContentsL1Index 1, jnxContentsL2Index 3, jnxContentsL3Index 0, jnxContentsDescr Power Supply 2 @ 0/2/*, jnxOperatingState 6)
Mar 18 17:20:56  EX4100F chassisd[17857]: CHASSISD_SNMP_TRAP6: SNMP trap generated: Power Supply failed (jnxContentsContainerIndex 2, jnxContentsL1Index 1, jnxContentsL2Index 2, jnxContentsL3Index 0, jnxContentsDescr Power Supply 1 @ 0/1/*, jnxOperatingState 6)
Mar 18 17:20:56  EX4100F chassisd[17857]: CHASSISD_SNMP_TRAP6: SNMP trap generated: Power Supply failed (jnxContentsContainerIndex 2, jnxContentsL1Index 1, jnxContentsL2Index 3, jnxContentsL3Index 0, jnxContentsDescr Power Supply 2 @ 0/2/*, jnxOperatingState 6)

We opened a ticket with Juniper and they believe it’s a flaw. Issue is that we monitor over 1,000 switches and we use the syslog feed to create alerts and tickets for review, now we’ve need to build exemptions into our logging to deal with these false positive alerts.

Hopefully Juniper will fix this bug.

Cheers!

I recently stumbled into an interesting issue with the latest recommended release for the Juniper EX4400 switch running software release 22.2R3-S2.8. The LLDP table was missing the entries for the neighboring Juniper EX4650 switch that it was uplinked to.

Long story short it turns out that this is a known issue.

You need to add the following configuration statement to your adjacent switch, not the EX4400 itself but the switch on the “other” side of the connection

set protocols lldp tlv-filter cloud-connect-event

With that statement in the EX4650, the EX4400 would display the appropriate neighboring links in it’s LLDP table.

Cheers!

If you run into issues with Virtual Chassis, my first suggestion is to check the software release.

By default, the QSFP28 ports on the back of the Juniper EX4400 should be setup as “Virtual Chassis” ports for stacking. You can issue the following command to change the configuration if needed;

request virtual-chassis mode network-port disable reboot

The issue I found is that ~ 70% of the time a Juniper EX4400 would fail to see the Virtual Chassis ports (and fail to “stack” properly) if it was running 21.2R3.8 software – the software release Juniper was shipping on switches sold in early 2023. An upgrade to 21.4R3-S3.4 or even the current recommendation of 22.2R3-S2.8 immediately resolves the issue.

I’ve also observed a number of odd PoE/interface issues impacting Juniper MIST Access Points, Kronos clocks along with other assorted PoE devices, such that they receive power but are unable to establish a LINK on the port with either 1Gbps or 2.5Gbps.

I’m currently running 21.4R3-S3.4 in production but we’re seeing a lot of intermittent BFD timeouts which we suspect is a software issue. We’re currently testing 22.2R3-S2.8 in a number of locations.

Cheers

We were looking to provide our 24×7 and IT support teams with read-only access to the CLI and J-Web interfaces on our EX4300 and EX2300 switches. We were going to start with using TAC_PLUS but we would eventually integrate with our HPE/Aruba ClearPass instances down the road (authenticating against Windows Active Directory).

I quickly found out that authenticating against TACACS+ while logging in via J-Web was broken, SSH worked fine but logging in via the web browser was broken. The error, “Invalid username or password specified” would always be returned. Some quick troubleshooting showed that the switches weren’t even reaching out to the TACACS+ servers so we decided to reach out to JTAC. We were running Junos 18.2R3-S2 for the EX2300 and Junos 18.4R2-S2 for the EX4300, these were the recommended software releases for each platform at the time I started this adventure.

This past week Juniper let me know that there was a PR raised for the following;

Logging into JWEB fails with “Invalid username or password specified”, but same credentials work for SSH access to CLI when authentication-order is configured

The issue was resolved in the following software releases;

• EX4300 – Junos 18.4R3
• EX2300 – Junos 18.3R3-S1

I upgraded some switches in order to test and wouldn’t you know it.

It works!

Cheers!

We had an interesting issue last week while replacing a Cisco Catalyst 4510R with a Juniper EX4300 Stack. The second switch in the Virtual Chassis stack appeared to have a bad PoE controller since none of the PoE ports on that switch were working. So we had to replace the switch with a spare.

First we had to upgrade the JunOS code on the switch to match the software on the existing stack. After we downgraded the software we powered off the switch, connected the stacking cables or VCP ports then powered the switch back on… it was initially detected as the 4th switch in the virtual chassis stack. Next all we did was replace the serial-number for switch 1 with the new switch (switch 4) and commit.

{master:0}[edit]
root@TEST-SW01# set virtual-chassis member 1 serial-number PD37XXXXXXX

{master:0}[edit]
root@TEST-SW01# commit
configuration check succeeds
fpc2:
commit complete
fpc3:
commit complete
commit complete

That was all I needed to do. After the commit everything started working on the replaced switch. I eventually rebooted the stack just to be sure nothing broke or stopped working but everything was fine.

If you read through the JunOS libraries, you’ll find a very drawn out process documented here.

Is all that really required?
Deleting the member, and then reprogramming the switch?

Any Juniper switching gods here to confirm or deny?

Cheers!

We’ll touch on the following configuration topics; OSPF, VLANs, DHCP relay, DHCP snooping, MAC limiting, rate limiting, BFD, TACACS+, SYSLOG, SNMP, RSTP, and BPDU filtering(blocking).

Let’s start by setting the hostname of the switch and the timezone.

set system host-name B99-SW01-EAST
set system time-zone America/New_York

Let’s set the root password, we’ll also add an ‘admin’ user later.

set system root-authentication plain-text-password 
{enter local root password}
{confirm local root password}

In this case I’m using TAC_PLUS so let’s configure TACACS+ authentication. In the example below X.X.X.X is the IP address of your our TACACS+ server and Y.Y.Y.Y is the management IP address of loopback address of the switch itself.

set system tacplus-server X.X.X.X
set system tacplus-server X.X.X.X secret tac_plus_shared_secret_here
set system tacplus-server X.X.X.X single-connection
set system tacplus-server X.X.X.X source-address Y.Y.Y.Y

Let’s change the order of the authentication sources, making TACACS+ the first choice.

set system authentication-order tacplus
set system authentication-order password

Let’s set the DNS and NTP servers (in my case they are the same – Infoblox);

set system name-server X.X.X.X
set system name-server Y.Y.Y.Y
set system domain-name acme.com
set system ntp server X.X.X.X
set system ntp server Y.Y.Y.Y

Let’s create the user ‘admin’ and make that user a superuser, this will be the user role we return from TACACS+. We don’t use the ‘root’ account because then the user would need to launch the CLI interface. With doing it this way any TACACS+ user is autoamtically at the CLI prompt when they login, no need to launch the CLI prompt with ‘cli’.

set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication plain-text-password 
{enter local admin password}
{confirm local admin password}

Let’s enable SSH and the WEBUI;

set system services ssh
set system services web-management https system-generated-certificate

Let’s turn on accounting and set it to use the TACACS+ servers;

set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination tacplus

Let’s enable logging and set a SYSLOG server where Z.Z.Z.Z is your syslog server IP address.

set system syslog host Z.Z.Z.Z any notice 
set system syslog file messages any notice 
set system syslog file messages authorization info 
set system syslog file messages daemon info 
set system syslog file interactive-commands interactive-commands any

Let’s create some VLANs and assign them names and VLAN IDs and L3 interfaces (DATA = 8, VOICE = 16, SECURITY = 99);

set vlans DATA vlan-id 8
set vlans DATA l3-interface irb.8
set vlans VOICE vlan-id 16
set vlans VOICE l3-interface irb.16
set vlans SECURITY vlan-id 99
set vlans SECURITY l3-interface irb.99

Let’s assign some IP addresses to our Layer3 interfaces for each VLAN;

set interfaces irb unit 8 family inet address 10.200.8.1/22
set interfaces irb unit 16 family inet address 10.200.16.1/22
set interfaces irb unit 99 family inet address 10.200.99.1/24
set interfaces lo0 unit 0 family inet address 10.200.0.11/32

You’ll notice above that I chose to match the VLAN ID to the third octet of the IP address. There’s no requirement to-do this, I just choose to-do it this way since this is a greenfield deployment and I don’t have any constraints around how I setup the IP address schema. You’ll also noticed that I added a loopback address. This is the IP address that we’ll use to manage this switch. Since the switch will have multiple routed uplinks we want to use an IP address that will always be reachable if either routed link is down at any one time.

Now it’s time to configure some ports… by default all ports belong to VLAN 1 (the default VLAN) as access ports. In JunOS we need to use the wildcard command to configure multiple interfaces with a single command, similar to the range command in Cisco. In the samples below I’m configuring ports 0-47 on the first two switches in the virtual chassis (stack).

wildcard range set interfaces ge-[0-1]/0/[0-47] unit 0 family ethernet-switching interface-mode access 
wildcard range delete interfaces ge-[0-1]/0/[0-47] unit 0 family ethernet-switching  vlan members default
wildcard range set interfaces ge-[0-1]/0/[0-47] unit 0 family ethernet-switching  vlan members DATA

Now, let’s add the voice VLAN to those same ports. I’m using Avaya 1600 Series IP phones with an Avaya Communication Manager.

wildcard range set switch-options voip interface ge-[0-1]/0/[0-47].0 vlan VOICE
wildcard range set switch-options voip interface ge-[0-1]/0/[0-47].0 forwarding-class expedited-forwarding

Let’s enable rate-limiting for every port at 20% of traffic – now you need to be careful here. If you have a very busy network this value may not be a good choice so some testing and evaluation is needed.

set forwarding-options storm-control-profiles standardsc all bandwidth-percentage 20
wildcard range set interface ge-[0-1]/0/[0-47] unit 0 family ethernet-switching storm-control standardsc

Let’s setup DHCP relay for the DATA and VOICE VLANs and DHCP snoooping where X.X.X.X and Y.Y.Y.Y are your DHCP servers;

set forwarding-options dhcp-relay server-group dhcp-srv X.X.X.X
set forwarding-options dhcp-relay server-group dhcp-srv Y.Y.Y.Y
set forwarding-options dhcp-relay active-server-group dhcp-srv
set forwarding-options dhcp-relay group all interface irb.8
set forwarding-options dhcp-relay group all interface irb.16
set system processes dhcp-service dhcp-snooping-file /var/tmp/snooping write-interval 60

Let’s take care of rogue DHCP servers by enabling DHCP filtering. We’ll trust our uplinks xe-0/1/0.0 and xe0/2/0.0

set vlans DATA forwarding-options dhcp-security group trusted overrides trusted
set vlans DATA forwarding-options dhcp-security group trusted interface xe-0/1/0.0
set vlans DATA forwarding-options dhcp-security group trusted interface xe-0/2/0.0
wildcard range set vlans DATA forwarding-options dhcp-security group untrusted interface ge-[0-1]/0/[0-47].0

Let’s enable MAC security and restrict each port to 3 MAC addresses with a 5 minute recovery time.

wildcard range set switch-options interface ge-[0-1]/0/[0-47] interface-mac-limit 3 packet-action shutdown
wildcard range set interfaces ge-[0-1]/0/[0-47] unit 0 family ethernet-switching recovery-timeout 300

Let’s enable RSTP and BPDU filtering;

wildcard range set protocols rstp interface ge-[0-1]/0/[0-47] edge
set protocols rstp bridge-priority 16384
set protocols rstp bpdu-block-on-edge
set protocols layer2-control bpdu-block disable-timeout 300

Since we’re not using the local management port let’s disable the alarm (show chassis alarms).

set chassis alarm management-ethernet link-down ignore

Let’s set the SNMP configuration;

set snmp name "B99-SW01-EAST"
set snmp description "Juniper EX4300 IDF Switch"
set snmp location "B99 East First Floor"
set snmp contact "ACME IT Technical Services"
set snmp community ACME-READONLY authorization read-only

Let’s configure OSPF so we can start up routing, 10.200.0.11 is the loopback IP address we used above. The 10GE uplinks are on xe-0/1/0 and xe-0/2/0. You’ll notice that we’re also using BFD to assist in quicker convergence times should there be an interruption on that specific uplink.

set routing-options router-id 10.200.0.11
set protocols ospf area 0.0.0.0 interface xe-0/1/0 hello-interval 2
set protocols ospf area 0.0.0.0 interface xe-0/1/0 dead-interval 8
set protocols ospf area 0.0.0.0 interface xe-0/1/0 bfd-liveness-detection minimum-interval 300
set protocols ospf area 0.0.0.0 interface xe-0/1/0 bfd-liveness-detection multiplier 4
set protocols ospf area 0.0.0.0 interface xe-0/1/0 bfd-liveness-detection full-neighbors-only
set protocols ospf area 0.0.0.0 interface xe-0/2/0 hello-interval 2
set protocols ospf area 0.0.0.0 interface xe-0/2/0 dead-interval 8
set protocols ospf area 0.0.0.0 interface xe-0/2/0 bfd-liveness-detection minimum-interval 300
set protocols ospf area 0.0.0.0 interface xe-0/2/0 bfd-liveness-detection multiplier 4
set protocols ospf area 0.0.0.0 interface xe-0/2/0 bfd-liveness-detection full-neighbors-only

Let’s make sure that we only advertise routes to connected interfaces into OSPF;

set policy-options policy-statement LOCAL_INTO_OSPF term connected from protocol direct
set policy-options policy-statement LOCAL_INTO_OSPF term connected then accept
set protocols ospf export LOCAL_INTO_OSPF

I’m not going to dive to deep into Virtual Chassis, that would likely require it’s own blog post, but here are the settings I’m using to minimize downtime and failover time between Routing Engines.

set chassis redundancy graceful-switchover
set routing-options graceful-restart

With all that done all that’s left to-do is “commit and-quit”.

Good Luck!

As many readers will recognize I successfully deployed Avaya now Extreme (formerly Nortel) Ethernet switching solutions at my previous employer for 17 years with great success. The Avaya/Extreme product was extremely cost competitive and provided every feature that we needed to provide a highly reliable network infrastructure to a large healthcare provider. So it shouldn’t surprise anyone that I was more than comfortable looking outside of Cisco’s product offerings.

In the early stages I personally felt that HPE was probably the best positioned to win our business. I had some experience with the HPE/Aruba 3810M and it had worked well in a number of consulting engagements. That was until I received the pricing from Juniper. Juniper literally wiped up the floor and quite literally walked away with our business. We looked at the following products;

• Cisco 3850X
• Cisco 2960X
• Cisco Meraki
• HPE/Aruba 3810M
• Juniper EX4300
• Juniper EX3400

In the end we landed on the Juniper EX4300-48P because it met all of our requirements and enabled us make extremely efficient use of our budget. We’ve deployed about 7 IDFs so for (~ 64 switches all total) connected to a pair of Juniper EX4600s via 10GBaseLR SFPs and we have yet to run into any major problems or issues. We did run into a few problems… but those were quickly fixed with a bag of cotton balls and some rubbing alcohol  – we had to clean the fiber patches.

What did we look at in our selection? Here’s the matrix we ended up creating. If there is some inaccurate information in the table below please post a comment and I’ll be happy to update the data accordingly. I have excluded pricing information, you’ll need to-do your own homework on that front.

Since my current employer believes steadfastly in 100% patching in the closet we usually end up with some very large IDFs and so the ability to have 10 switches in a stack was a large consideration. We also have a number of IDFs with very shallow racks and/or cabinets and that necessitated only looking at solutions that were under 17 inches deep.

That leaves us with a pair of Juniper EX4600s acting as the campus core running OSPF and connecting to the Juniper EX4300-48Ps in the IDFs in a Virtual Chassis configuration. Each IDF is it’s own L2 domain with OSPF routing between the IDF and the campus core. The Juniper EX4600s in turn connect to the Data Center Cisco 6509s. Next year’s project will be to replace the Cisco 6509s that are still in the Data Center.

I hope to put out a sample configuration guide in the coming weeks for the Juniper EX4300-48P.

Cheers!

If you have a look at the Juniper documentation for the ELS hardware you’ll notice the following statement half-way down the page.

That explains why we weren’t able to find the link-mode option in the CLI configuration under the interface branch.

In the end we were able to get the Wattstopper working at 10Mbps full duplex.

It’s not a huge deal but it could certainly get entertaining trying to connect some of the older HVAC and SCADA solutions that utilize much older 10Mbps NICs and hubs. There was a post here that suggests the issue is related to the PHY and MACSEC.

If I get additional feedback from Juniper I’ll post it here.

Cheers!

Update: October 23, 2017

Half-duplex link support (EX4300 switches)—Starting with Junos OS 14.1X53-D40, half-duplex communication is supported on all built-in network copper ports on EX4300 switches. Half-duplex is bidirectional communication, but signals can flow in only one direction at a time. Full-duplex communication means that both ends of the communication can send and receive signals at the same time.Half-duplex is configured by default on EX4300 switches. If the link partner is set to autonegotiate the link, then the link is autonegotiated to full duplex or half duplex. If the link is not set to autonegotiation, then the EX4300 link defaults to half-duplex unless the interface is explicitly configured for full duplex.
To explicitly configure full duplex:
[edit]
user@switch# set interfaces interface-name speed 10m-or-100m
[edit]
user@switch# set interfaces interface-name ether-options no-auto-negotiate
To verify a half-duplex setting:
user@switch> show interfaces interface-name extensive

Let’s look at expanding the topology from our last post adding a Cisco 3750E;

Again, that’s pretty straight forward and isn’t too exciting. Although if we leave every uplink/downlink as a member of VLAN 100 and VLAN 200 we’ll end up with a loop in our topology – not a Spanning Tree Loop. What if we add Multiple Spanning Tree Protocol (MSTP) to our configuration just to make it interesting? Our topology might look like this with 2 instances of MSTP running, one for each VLAN.

We’ll make the Avaya switch the root bridge for CIST. We’ll make the Juniper switch the root bridge for MST 1, and we’ll make the Cisco switch the root bridge for MST 2.

That’s interesting… let’s see what we need to-do in order to configure everything up. I’m going to pickup the configuration as I had it setup in the previous post, LACP Configuration  Examples (Part 4). We’ll need to add another LACP group/pair to our Avaya and Juniper switches as well as configure the Cisco switch. We’ll also need to enable MSTP on each switch, add the VLANs to the correct MSTP instances and set the correct bridge priority for each.

Juniper EX2200-C Switch

configure
set chassis aggregated-devices ethernet device-count 2

delete interfaces ge-0/0/4 unit 0
delete interfaces ge-0/0/5 unit 0

set interfaces ge-0/0/4 ether-options 802.3ad ae1
set interfaces ge-0/0/5 ether-options 802.3ad ae1
set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae1 aggregated-ether-options lacp periodic fast

set interfaces ae1 unit 0 family ethernet-switching
set interfaces ae1 unit 0 family ethernet-switching port-mode trunk
set interfaces ae1 unit 0 family ethernet-switching port-mode trunk vlan members VLAN-100 members VLAN-200

delete protocols rstp

set protocols mstp configuration-name AcmeNetworks
set protocols mstp revision-level 1
set protocols mstp msti 1 vlan 100
set protocols mstp msti 2 vlan 200

set protocols mstp msti 1 bridge-priority 16384
commit and-quit

Avaya Ethernet Routing Switch 5520

config t
spanning-tree mode mst
exit
boot

You’ll need to reboot the switch in order to enable MSTP, so go ahead and reboot before continuing the steps;

config t
vlan ports 25,26 tagging tagAll

interface fastEthernet 25,26
lacp key 25
lacp mode active
lacp timeout-time short
lacp aggregation enable
exit

spanning-tree mstp msti 1
spanning-tree mstp msti 1 add-vlan 100
spanning-tree mstp msti 2
spanning-tree mstp msti 2 add-vlan 200
spanning-tree mstp priority 4000

You’ll notice that the Avaya switch accepts a hexadecimal value for the priority, so 4000 in hex = 16384 in decimal.

spanning-tree mstp region region-name AcmeNetworks
spanning-tree mstp region region-version 1
exit

Cisco Catalyst 3750E Switch

config t
vlan 100
name "192-168-100-0/24"
exit
vlan 200
name "192-168-200-0/24"
exit

interface vlan 100
ip address 192.168.100.30 255.255.255.0
no shut
exit

interface vlan 200
ip address 192.168.200.30 255.255.255.0
no shut
exit

interface gig1/0/13
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active

interface gig1/0/14
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active

interface gig1/0/25
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 2 mode active

interface gig1/0/26
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 2 mode active

spanning-tree mode mst

spanning-tree mst configuration
name AcmeNetworks
revision 1
instance 1 vlan 100
instance 2 vlan 200
exit
spanning-tree mst 2 priority 16384
exit

Let’s have a look at our work and see what everything looks like from both a LACP and Spanning Tree perspective.

Cisco Catalyst 3750E Switch

Switch#show lacp neighbor
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode

Channel group 1 neighbors

Partner's information:

LACP port Admin Oper Port Port
Port Flags Priority Dev ID Age key Key Number State
Gi1/0/13 FA 127 54e0.xxxx.d440 5s 0x0 0x2 0x3 0x3F
Gi1/0/14 FA 127 54e0.xxxx.d440 5s 0x0 0x2 0x4 0x3F

Channel group 2 neighbors

Partner's information:

LACP port Admin Oper Port Port
Port Flags Priority Dev ID Age key Key Number State
Gi1/0/25 FA 32768 3475.xxxx.a400 14s 0x0 0x3019 0x19 0x3F
Gi1/0/26 FA 32768 3475.xxxx.a400 16s 0x0 0x3019 0x1A 0x3F

Switch#show spanning-tree

MST0
Spanning tree enabled protocol mstp
Root ID Priority 16384
Address 3475.xxxx.a400
Cost 0
Port 496 (Port-channel2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32768 (priority 32768 sys-id-ext 0)
Address 0064.xxxx.4d80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po1 Desg FWD 10000 128.488 P2p
Po2 Root FWD 10000 128.496 P2p

MST1
Spanning tree enabled protocol mstp
Root ID Priority 16385
Address 54e0.322a.d441
Cost 10000
Port 488 (Port-channel1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0064.xxxx.4d80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po1 Root FWD 10000 128.488 P2p
Po2 Desg FWD 10000 128.496 P2p

MST2
Spanning tree enabled protocol mstp
Root ID Priority 16386
Address 0064.xxxx.4d80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 16386 (priority 16384 sys-id-ext 2)
Address 0064.xxxx.4d80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po1 Desg FWD 10000 128.488 P2p
Po2 Desg FWD 10000 128.496 P2p

We can see that LACP is up and running to both the Avaya and Juniper switches. We can also see that the Cisco switch is the root bridge for MSTI 2 and the root port for MSTI 1 is Port-channel 1 (link to Juniper EX2200-C) while the root port for the CIST is Port-channel2 (link to Avaya ERS 5520). All ports are designated and forwarding traffic.

 Juniper EX2200-C Switch

root> show lacp interfaces
Aggregated interface: ae0
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
ge-0/0/0 Actor No No Yes Yes Yes Yes Fast Active
ge-0/0/0 Partner No No Yes Yes Yes Yes Fast Active
ge-0/0/1 Actor No No Yes Yes Yes Yes Fast Active
ge-0/0/1 Partner No No Yes Yes Yes Yes Fast Active
LACP protocol: Receive State Transmit State Mux State
ge-0/0/0 Current Fast periodic Collecting distributing
ge-0/0/1 Current Fast periodic Collecting distributing

Aggregated interface: ae1
LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity
ge-0/0/4 Actor No No Yes Yes Yes Yes Fast Active
ge-0/0/4 Partner No No Yes Yes Yes Yes Slow Active
ge-0/0/5 Actor No No Yes Yes Yes Yes Fast Active
ge-0/0/5 Partner No No Yes Yes Yes Yes Slow Active
LACP protocol: Receive State Transmit State Mux State
ge-0/0/4 Current Slow periodic Collecting distributing
ge-0/0/5 Current Slow periodic Collecting distributing

root> show spanning-tree bridge

STP bridge parameters
Context ID : 0
Enabled protocol : MSTP

STP bridge parameters for CIST
Root ID : 16384.34:75:xx:xx:a4:00
Root cost : 0
Root port : ae0.0
CIST regional root : 16384.34:75:xx:xx:a4:00
CIST internal root cost : 10000
Hello time : 2 seconds
Maximum age : 20 seconds
Forward delay : 15 seconds
Hop count : 19
Message age : 0
Number of topology changes : 2
Time since last topology change : 14690 seconds
Topology change initiator : ae0.0
Topology change last recvd. from : 34:75:xx:xx:a4:01
Local parameters
Bridge ID : 32768.54:e0:xx:xx:d4:41
Extended system ID : 0
Internal instance ID : 0

STP bridge parameters for MSTI 1
MSTI regional root : 16385.54:e0:xx:xx:d4:41
Hello time : 2 seconds
Maximum age : 20 seconds
Forward delay : 15 seconds
Number of topology changes : 5
Topology change initiator : ae1.0
Topology change last recvd. from : 00:64:xx:xx:4d:8d
Local parameters
Bridge ID : 16385.54:e0:xx:xx:d4:41
Extended system ID : 0
Internal instance ID : 1

STP bridge parameters for MSTI 2
MSTI regional root : 16386.00:64:xx:xx:4d:80
Root cost : 10000
Root port : ae1.0
Hello time : 2 seconds
Maximum age : 20 seconds
Forward delay : 15 seconds
Hop count : 19
Number of topology changes : 6
Topology change initiator : ae1.0
Topology change last recvd. from : 00:64:xx:xx:4d:8d
Local parameters
Bridge ID : 32770.54:e0:xx:xx:d4:41
Extended system ID : 0
Internal instance ID : 2

Avaya Ethernet Routing Switch 5520

5520-48T-PWR#show lacp port 13-14,25-26
Admin Oper Trunk Partner
Port Priority Lacp A/I Timeout Key Key AggrId Id Port Status
---- -------- ------- --- ------- ----- ----- ------ ----- ------- ------
13 32768 Active A Short 1 12289 8224 32 1 Active
14 32768 Active A Short 1 12289 8224 32 2 Active
25 32768 Active A Short 25 12313 8223 31 282 Active
26 32768 Active A Short 25 12313 8223 31 283 Active

5520-48T-PWR#show spanning-tree mstp config
Maximum Mst Instance Number: 8
Number of Msti Supported: 2
Cist Bridge Priority (hex): 4000
Stp Version: Mstp Mode
Cist Bridge Max Age: 20 seconds
Cist Bridge Forward Delay: 15 seconds
Tx Hold Count: 3
Path Cost Default Type: 32-bit
Max Hop Count: 2000

VLAN members
------ ------ ------ ------ ------ ------ ------ ------ ------ ------
1

Msti Config Id Selector: 0
Msti Region Name: AcmeNetworks
Msti Region Version: 1
Msti Config Digest: 6D:A4:B5:0C:4F:D5:87:75:7E:EF:03:56:75:36:05:E1

5520-48T-PWR#show spanning-tree mstp msti config 1
Msti Bridge Regional Root:  40:00:54:E0:xx:xx:D4:41
Msti Bridge Priority (hex): F000
Msti Root Cost:             10000
Msti Root Port:             MLT 32
Msti State:                 Enabled

VLAN members
------ ------ ------ ------ ------ ------ ------ ------ ------ ------
100

5520-48T-PWR#show spanning-tree mstp msti config 2
Msti Bridge Regional Root:  40:00:00:64:xx:xx:4D:80
Msti Bridge Priority (hex): F000
Msti Root Cost:             10000
Msti Root Port:             MLT 31
Msti State:                 Enabled

VLAN members
------ ------ ------ ------ ------ ------ ------ ------ ------ ------
200

5520-48T-PWR#show spanning-tree mstp msti port role 1
Port Role State STP Status Oper Status
---- ---------- ---------- ---------- -----------
13 Root Forwarding Enabled Enabled
14 Root Forwarding Enabled Enabled
25 Alternate Discarding  Enabled Enabled
26 Alternate Discarding  Enabled Enabled

5520-48T-PWR#show spanning-tree mstp msti port role 2
Port Role State STP Status Oper Status
---- ---------- ---------- ---------- -----------
13 Alternate Discarding  Enabled Enabled
14 Alternate Discarding  Enabled Enabled
25 Root Forwarding Enabled Enabled
26 Root Forwarding Enabled Enabled

We can see from the output above that ports 13,14 are Alternate Discarding for MSTI 1 while ports 25,26 are Alternate Discarding for MSTI 2.

In the output we can see which port is the root bridge port for each switch, we can also see the MSTP config digest which should match on every switch in the topology. In order for the configuration to be valid the MST region name, version and config selector need to match along with correct VLAN IDs matched to the correct MST instance.

Cheers!
Image Credit: New York City Brooklyn Bridge by Diogo Ferrari

In the past I’ve demonstrated how to connect an Avaya Ethernet Routing Switch 8600 to an Avaya Ethernet Switch 470, an Avaya Ethernet Routing Switch 8600 Cluster to an Avaya Ethernet Switch 470 via SMLT, an Avaya Ethernet Routing Switch 8600 Cluster to a HP GbE2c(Blade Technologies) via SMLT, and even an Avaya Ethernet Routing Switch 5520 to Cisco Catalyst 3750E.

In this post I’ll demonstrate how to establish an LACP 802.3ad link over 2 Gigabit interfaces between an Avaya Ethernet Routing Switch 5520 and a Juniper EX2200C switch. This isn’t really rocket science but I’m continually getting questions from all four corners of the globe regarding LACP configurations.

Sample Topology

This is a pretty simple topology, we’ll connect ports 13 and 14 on the ERS-5520 to ports ge-0/0/0 and ge-0/0/1 on the EX2200-C respectively. We’ll create VLANs 100 and 200 and assign them IP interfaces in the 192.168.100.0/24 and 192.168.200.0/24 networks respectively. We’ll test connectivity by pinging from one switch to the other on each VLAN.

Avaya Ethernet Routing Switch 5520

Here’s the configuration for the ERS-5520;

vlan ports 13,14 tagging tagAll

vlan create 100 name "VLAN-100" type port
vlan create 200 name "VLAN-200" type port

vlan members remove 1 all
vlan members add 100 13,14
vlan members add 200 13,14

interface vlan 100
ip address 192.168.100.10 255.255.255.0
exit
interface vlan 200
ip address 192.168.200.10 255.255.255.0
exit

ip routing
interface fastEthernet 13,14
lacp key 1
lacp mode active
lacp timeout-time short
lacp aggregation enable
exit

Juniper EX2200-C Switch

Here’s the configuration for the EX2200-C;

set vlans VLAN-100 vlan-id 100
set vlans VLAN-200 vlan-id 200
set interfaces vlan unit 100 family inet address 192.168.100.20/24
set interfaces vlan unit 200 family inet address 192.168.200.20/24
set vlans VLAN-100 l3-interface vlan.100
set vlans VLAN-200 l3-interface vlan.200

delete interfaces ge-0/0/0 unit 0
delete interfaces ge-0/0/1 unit 0
set chassis aggregated-devices ethernet device-count 1
set interfaces ge-0/0/0 ether-options 802.3ad ae0
set interfaces ge-0/0/1 ether-options 802.3ad ae0
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 aggregated-ether-options lacp periodic fast

set interfaces ae0 unit 0 family ethernet-switching
set interfaces ae0 unit 0 family ethernet-switching port-mode trunk
set interfaces ae0 unit 0 family ethernet-switching port-mode trunk vlan members VLAN-100 members VLAN-200

That’s really all there is to it… hopefully it’s pretty straight forward.

Troubleshooting

If you want to make sure that LACP is up and running there are a few commands you can use;

Juniper

root> show interfaces ae0 extensive
Physical interface: ae0, Enabled, Physical link is Up
  Interface index: 143, SNMP ifIndex: 531, Generation: 146
  Link-level type: Ethernet, MTU: 1514, Speed: 2Gbps, BPDU Error: None,
  MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled,
  Flow control: Disabled, Minimum links needed: 1, Minimum bandwidth needed: 0
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x4000
  Current address: 54:e0:xx:2a:d4:43, Hardware address: 54:e0:xx:2a:d4:43
  Last flapped   : 2012-08-25 10:41:06 UTC (01:35:06 ago)
  Statistics last cleared: Never
  Traffic statistics:
   Input  bytes  :              2101034                 3056 bps
   Output bytes  :              1566394                 2032 bps
   Input  packets:                19178                    2 pps
   Output packets:                11909                    0 pps
   IPv6 transit statistics:
    Input  bytes  :                   0
    Output bytes  :                   0
    Input  packets:                   0
    Output packets:                   0
  Input errors:
    Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0,
    Policed discards: 0, Resource errors: 0
  Output errors:
    Carrier transitions: 2, Errors: 0, Drops: 0, MTU errors: 0,
    Resource errors: 0

  Logical interface ae0.0 (Index 65) (SNMP ifIndex 533) (Generation 145)
    Flags: SNMP-Traps 0x40004000 Encapsulation: ENET2
    Statistics        Packets        pps         Bytes          bps
    Bundle:
        Input :          2936          0        176682            0
        Output:            94          0          7163            0
    Link:
      ge-0/0/0.0
      ge-0/0/1.0
    LACP info:        Role     System             System      Port    Port  Port
                             priority          identifier  priority  number   key
      ge-0/0/0.0     Actor        127  54:e0:32:xx:d4:40       127       1     1
      ge-0/0/0.0   Partner      32768  34:75:c7:xx:a4:00     32768      13 12289
      ge-0/0/1.0     Actor        127  54:e0:32:xx:d4:40       127       2     1
      ge-0/0/1.0   Partner      32768  34:75:c7:xx:a4:00     32768      14 12289
    LACP Statistics:       LACP Rx     LACP Tx   Unknown Rx   Illegal Rx
      ge-0/0/0.0              5708        5699            0            0
      ge-0/0/1.0              5708        5699            0            0
    Marker Statistics:   Marker Rx     Resp Tx   Unknown Rx   Illegal Rx
      ge-0/0/0.0                 0           0            0            0
      ge-0/0/1.0                 0           0            0            0
    Protocol eth-switch, Generation: 162, Route table: 0
      Flags: Trunk-Mode

root> show lacp interfaces
Aggregated interface: ae0
    LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
      ge-0/0/0       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/0/0     Partner    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/0/1       Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
      ge-0/0/1     Partner    No    No   Yes  Yes  Yes   Yes     Fast    Active
    LACP protocol:        Receive State  Transmit State          Mux State
      ge-0/0/0                  Current   Fast periodic Collecting distributing
      ge-0/0/1                  Current   Fast periodic Collecting distributing

It’s always a good idea to have a look at the MAC or forwarding table to see what it looks like;

root> show ethernet-switching table
Ethernet-switching table: 7 entries, 2 learned
  VLAN              MAC address       Type         Age Interfaces
  default           54:e0:32:xx:d4:41 Static         - Router
  VLAN-100          *                 Flood          - All-members
  VLAN-100          34:75:c7:xx:a4:41 Learn       2:02 ae0.0
  VLAN-100          54:e0:32:xx:d4:41 Static         - Router
  VLAN-200          *                 Flood          - All-members
  VLAN-200          34:75:c7:xx:a4:42 Learn       1:50 ae0.0
  VLAN-200          54:e0:32:xx:d4:41 Static         - Router

Avaya

5520-48T-PWR#show lacp stats 13,14
Port 13   -------------------------------------
          LACPDUs Rx:             5784
          LACPDUs Tx:             6631
          MarkerPDUs Rx:          0
          MarkerResponsePDUs Rx:  0
          MarkerPDUs Tx:          0
          MarkerResponsePDUs Tx:  0
          UnknownPDUs Rx:         0
          IllegalPDUs Rx:         0
Port 14   -------------------------------------
          LACPDUs Rx:             5784
          LACPDUs Tx:             6631
          MarkerPDUs Rx:          0
          MarkerResponsePDUs Rx:  0
          MarkerPDUs Tx:          0
          MarkerResponsePDUs Tx:  0
          UnknownPDUs Rx:         0
          IllegalPDUs Rx:         0

5520-48T-PWR#show lacp port 13,14
                                  Admin Oper         Trunk Partner
Port Priority Lacp    A/I Timeout Key   Key   AggrId Id    Port    Status
---- -------- ------- --- ------- ----- ----- ------ ----- ------- ------
13   32768    Active  A   Short   1     12289 8224   32    1       Active
14   32768    Active  A   Short   1     12289 8224   32    2       Active

5520-48T-PWR#show lacp aggr
Aggr ID Trunk Status   Type   Members
------- ----- -------- ------ -------------------
8224    32    Enabled  LA     13-14

Let’s see what the forwarding table on the Avaya switch looks like;

5520-48T-PWR#show mac-address-table
Mac Address Table Aging Time: 300
Number of addresses: 4

   MAC Address    Vid  Source          MAC Address    Vid  Source
----------------- ---- -------      ----------------- ---- -------
34-75-C7-XX-A4-00    1              54-E0-32-XX-D4-43    1 Trunk:32
54-E0-32-XX-D4-44    1 Trunk:32     34-75-C7-XX-A4-41  100
54-E0-32-XX-D4-41  100 Trunk:32     34-75-C7-XX-A4-42  200
54-E0-32-XX-D4-41  200 Trunk:32

We need to determine what’s “Trunk 32” so we issue the following command;

5520-48T-PWR#show mlt 32
Id Name             Members                Bpdu   Mode           Status  Type
-- ---------------- ---------------------- ------ -------------- ------- ------
32 Trunk #32        13-14                  Single DynLag/Basic   Enabled Trunk

Cheers!

The purpose of this post is to provide some simple examples of how you can start automating today. These are not glamorous solutions hence the poor man slogan but they should help provide some idea of what’s possible. There are plenty of open-source and commercial solutions out there, one that’s been receiving some extra press these past few months is Puppet.

In my current organization we deploy a lot of equipment and we usually do so on a very tight timetable where we have hours, not days or weeks to turn up a closet or a remote site. So our time is extremely precious but more so we can’t afford to be troubleshooting erroneous configuration errors that could easily be avoided with some simple automation. Like numerous organizations before us we too had Microsoft Word Templates and Excel macros and formulas but we almost always ran into problems with the human element of the equation.

I took a small 1Gbps CentOS Linux guest with a LAMP (Linux, Apache, MySQL, PHP) stack and started throwing together some Perl, PHP and JavaScript code. The outcome was a pretty powerful example of what’s possible without a big capital investment or some consulting company reaching their quarterly sales goal on your dime.

Here are three simple examples which are adoptions of each other, adding additional features as time allowed and the solutions matured.

Juniper SRX – VPN Branch Offices

While we were migrating our remote branch offices (31+ locations in all) to Juniper SRX Service Gateways we quickly realized we needed a more reliable solution than building the configuration by hand.  We had a Microsoft Word template that had various fields marked {RED}, the field engineer would perform a search-n-replace to ultimately build the configuration. In our first few conversions we had a number of typos in the configuration that caused use to overrun our scheduled maintenance window. How can we make configuring the Juniper SRX easier for our field engineers? What about a web based portal that takes in the assorted variables and outputs a working configuration?

The solution was really quite easy and has been done by others before. The field engineer plugs in a few values and the Perl/PHP application spits back a complete configuration for both the branch office Juniper SRX 210H and the main office Juniper SRX 650. The initial version of the application required the field engineer to enter a random 128 character shared key, later versions of the application automatically generated a random shared key for use in the configuration. This approach completely eliminated any other configuration issues during the migration project and is now part of our standard process for a new greenfield site.

Avaya Ethernet Routing Switch 4850GTS-PWR+

On the heals of that migration we had a very large expansion project underway at our largest facility. The physical construction called for the installation of about 63+ Avaya Ethernet Routing Switch 4850GTS-PWR+ switches. In order to help streamline the configuration process and help eliminate configuration errors I built an adaption of the earlier application above to fit the requirements for this project. In this project I expanded the functionality of the original application by adding JavaScript code to perform client side data validation. If the field called for an IP address, then the JavaScript code would only submit the data to the server if the field passed validation. It was pretty straight forward and simple but we took the original solution and improved on it.

APC UPS/PDU Management Cards

In that same expansion project we also identified the need to streamline the configuration of the American Power Conversion (APC) UPS’s and PDUs that we were deploying throughout the infrastructure. If you’ve ever worked with them you know they can be somewhat difficult to quickly and easily configure. Our field engineers were spending on average 1 hour to configure each device and often there were inconsistencies in the configuration depending on which field engineer had performed the configuration. So we came up with a new streamlined process which allows the engineer to complete the task in about 15 minutes. The field engineer manually configures a DHCP reservation (manual DHCP) utilizing the MAC address of the management card within our Infoblox IP address management solution. Once the UPS or PDU is online and communicating with the network the field engineer plugs in a number of variables into the web browser and the Perl application will output the configuration. In this case we decided to take this solution one step further by having the Perl application actually program the configuration into the device. The Perl application will generate the configuration and then will make a FTP call to the actual asset and upload the configuration. The only thing left for the field engineer was to perform some simple tests once the task was complete, to verify that the asset was reporting, sending SNMP traps, to our management platform. And even that last step could have probably been easily automated.

My Thoughts

There are a number of frameworks that I could have used in writing these applications but I decided to keep it simple (this time around). The point here is to just provide an example of what’s possible. There are quite a few tools and solutions in the market place that already leverage SNMP, NET-CONF, XML, SOAP APIs, etc to help provide integration between systems as well as management and automation.

Wouldn’t it be great if the last application accepted the MAC address of the APC UPS/PDU and made an automated call to Infoblox and automatically created a DHCP reservation for that asset? Thereby streamlining the process even further? There’s nothing stopping me from doing that other than the time and energy it takes to code the solution and then test it appropriately.

I’m not ready right now to release the actual code but if enough people request I will work to creating sanitized copies and release the code under a GPL license.

Let me know what your doing around automation.

I recall a number of interesting posts a few years back where some folks had completely automated how they inventory and on-board their IP phones. They were using bar code scanners to collect the information from the outside of the box and then had an automated process for taking that information and creating the necessary configuration files for a zero-touch installation, including the actual node and TN information for the Avaya Communication Server 1000. That was a pretty neat example of automation in my opinion and obviously saved them a lot of time and effort.

 Cheers!

I’ve deployed the Juniper SRX 650 and the Juniper SRX 210H in a typical corporate branch office tunnel architecture utilizing route-based VPN tunnels with OSPF and Point to Multi-Point interfaces along with virtual router instances. Since that deployment I’ve really come to enjoy using the Junos CLI interface.

While there are a few grammatical errors (who am I to criticize) the book contains a large number of example configurations and actually shows the reader how to implement the feature and/or option as opposed to just defining it.

In the spirit of full disclosure, I received an electronic copy of the book, Juniper SRX Series, from Juniper free of charge.

Study Material

If you are looking to take the JNCIA-Junos or the JNCIS-SEC you can find the study guides from Juniper here;

https://learningportal.juniper.net/juniper/user_fasttrack_home.aspx

You’ll need to create an account with Juniper in order to access the study material.

I’m personally reviewing both the study material provided by Juniper along with the book, Juniper SRX Series, to validate my understanding of each feature and option.

Cheers!

Thankfully you can configure an idle timeout for CLI sessions in Junos.

We don’t use the default root account but instead create an admin account for the day to day management and configuration changes. Here are the steps we use to create that admin account;

set system login user admin full-name Administrator
set system login user admin uid 100
set system login user admin class super-user
set system login user admin authentication plain-text-password password

That leaves us with the following configuration;

user admin {
    full-name Administrator;
    uid 100;
    class super-user;
    authentication {
        encrypted-password "*****************************"; ## SECRET-DATA
    }
}

Since the idle-timeout value is set per user class and we can’t modify the default super-user class we had to create a new class called super-user-local. After setting the idle-timeout and permissions we add the user admin to that user class.

set system login class super-user-local idle-timeout 10
set system login class super-user-local super-user-local permissions all
set system login user admin class super-user-local

If we look at the configuration after those changes we should be able to see the new user class.

class super-user-local {
    idle-timeout 10;
    permissions all;
}
user admin {
    full-name Administrator;
    uid 100;
    class super-user-local;
    authentication {
        encrypted-password "********************************"; ## SECRET-DATA
    }
}

And now lets test it…

[root@linux ~]# telnet vpn-testlab
Trying 10.101.203.1...
Connected to vpn-testlab (10.1.1.1).
Escape character is '^]'.

vpn-testlab (ttyp0)

login: admin
Password:

--- JUNOS 10.4R9.2 built 2012-02-02 08:09:42 UTC
admin@vpn-testlab> 

Warning: session will be closed in 5 minutes if there is no activity
Warning: session will be closed in 1 minute if there is no activity
Warning: session will be closed in 10 seconds if there is no activity
Idle timeout exceeded: closing session

Connection closed by foreign host.

With that change any CLI sessions that are idle for 10 minutes will be automatically logged out.

I mentioned creating a few screencasts so here’s my first “public” attempt. I’ve created a few private screencasts for my employer from time to time but nothing ever public. Have a look below, feel free to leave any feedback even constructive criticism is welcome. I know that I need to work on my microphone volume and settup. I don’t smoke but you’d never know that by listening to the video with my heaving breathing. Any if you decide to watch why not have a go at counting the number of uhms or ahs?

Cheers!

I actually have some experience with Juniper and JunOS. I currently employ a clustered pair of Juniper Secure Access 4000 appliances for clientless and SSL-VPN based remote access. I’m also in the process of migrating to the Juniper SRX for our branch office VPN connections utilizing Juniper SRX 650s in the main office and Juniper SRX 210Hs in the branch office. I’m a big fan of the Juniper Secure Access product and the Network Connect client. Our recent deployment of the Juniper SRX product is been going quite well. We’re deploying virtual routing instances (VRFs) within JunOS so we can tunnel all Internet traffic from the branch back to the main office for content filtering and logging.

I’m going to outline the different presentations that we heard and perhaps make a few points here and there if I have anything useful to say. I’ll include a short blurb from Juniper in italics to help define/describe each product or solution. Thankfully since the sessions were recorded you can watch for yourself and make your own informed opinion.

Here’s my disclaimer; I’m not endorsing any of the solutions presented below. I’m merely passing on the information along with a few comments of my own. If you have any personal opinions about the solutions below why not share them with us in the comments?

Introduction

by Derick Winkworth (Networking Field Day 3 Delegate)
Tech Field Day Video

I only learned on my flight back to Philadelphia, PA that Derick was a Networking Field Day 3 delegate although once I did that explained a few things.

Storage Networking and FCoE in the Network

by Simon Gordon and Joe White
Tech Field Day Video

Juniper attempted to demonstrate the Juniper QFX3500 switch with a Windows and Linux server using the converged Intel X520-SR2 network adapter connected to a prototype storage array nicknamed ‘platypus’. Unfortunately ‘platypus’ wasn’t behaving that day and Juniper was unable to present the demo.

Edit: Updated 11/1/2012 – as pointed out by Simon it was the prototype storage array that mis-behaved and not the QFX3500.

My Thoughts?

I’m not expert, not even a novice when it comes to understanding the subject of FCoE. I believe there’s definitely value to be found in a converged FC SAN and NIC adapter. What do you do with your SAN traffic once it gets to the FCoE switch seems to be the question.

I have a question? What exactly is a latency bubble? It sounds like bullshit bingo to me but you never know it might be real.

Douglas Fourlay over at Network World is wondering Why FCoE is Dead, But Not Buried Yet. The article is dated but makes some interesting points.

Virtual Chassis Technology

by Yafan An
Tech Field Day Video

Juniper Networks Virtual Chassis technology is a feature of the Juniper Networks EX4200 line of Ethernet switches allowing the interconnection and operation of switches as a unified, single, high bandwidth device. Up to 10 EX4200 switches may be interconnected via dedicated Virtual Chassis ports on each device, or through optional uplink module ports that are configured as Virtual Chassis ports, with a combined backplane bandwidth of up to 128 Gbps.

Virtual Chassis Technology – stacking in closet or top of rack with 4 different models, EX3300 – 1Gbps Fixed Switch (stack up to 6), EX4200 – 1Gbps Fixed Switch (up to 10), EX4500 – 10Gbps Switch (up to ?), EX8200 – Modular Chassis Core Switch. EX8200s can be supplemented by external XRE (eXternal Routing Engines) all managed as a single switch, single IP address utilizing JunOS. The EX8200 can be stacked up to 40kM apart in a virtual chassis.

My Thoughts?

Initially it appeared to be just another stacking solution for closet/edge switches. Although then I realized that you can actually stack the modular EX8200 chassis which sounds similar to some other vendor solutions.

MyKonos – Web Application Security

Tech Field Day Video

Mykonos Software’s web Intrusion Deception system effectively eliminates false positives because it employs tar traps to detectttacks with certainty. The software inserts detection points into web application code including urls, forms and server files to create a variable minefield. These traps detect hackers when they manipulate the deception points during the reconnaissance phase of the attack, before they can establish an attack vector. And because hackers are manipulating code that has nothing to do with the website or web application, the malicious action is certain.

My Thoughts?

If you were watching the live stream you probably saw me prop up in my chair. This was a devilishly clever approach to the problem of application hacking and how to thwart the majority of such attempts. I’ve run a number of honeypots over the years but this was really a better mouse trap than anything I’ve ever seen. The MyKonos solution essentially acts as a reverse proxy server that front ends your Internet facing application web servers and injects small pieces of cheese into the HTML to see if anyone will bite. Once someone/something reacts to the pieces of cheese the solution will start tracking the user/host and will attempt to continue deceiving the ‘hacker’ by offering them additional tidbits of information to keep them interested. The ultimate goal of the solution is to keep the rogue users interested by wasting their time (and money) while building a profile of the attacker. Ultimately MyKonos can integrate with third party firewalls to block the IP address of an intruder once they’ve reached the end of the rainbow.

The delegates discussed for a few minutes the legality of placing cookies in a user’s web browser but it seems that Juniper has already addressed the majority of those concerns in a knowledge base article KB25858.

JunOS Automation

by Dan Beckman and Dereck Winkworth
Tech Field Day Video

JunOS 12.2 added the ability to add Curl calls from scripting which enables you to centralize your code snippets.

Junos Automation Technology Overview Presentation
Juniper Script Library

SLAX – SLAX is a syntax overlay of the XSLT programming language. While XSLT is used internally by Junos to power its on-box scripting capabilities, it is not the most intuitive or efficient of languages, so SLAX was created to simplify on-box script programming and make it more comfortable to write. SLAX Reference

JUISE – JUISE takes the abilities provided by the scripting facility of JUNOS and moves it into the open source world, where a script can run on a remote box, accessing JUNOS resources over the NETCONF (or JUNOScript) API. Initially this will be an excellent environment for creating and debugging scripts, but for many users, it may become their “normal” scripting environment.

My Thoughts?

I was able to relate with Dereck as he used phrases like “mountain of automation workflow”, “stop the hurt” and “IT is hard”. I’m a believer in letting the computer do the work and where ever possible and reducing the duplication of effort (eliminate the paperwork). You only need to look at my scripts library and see that I’ve written my share of code using Expect and Perl to automate various tasks and push functionality out to the help desk and support personnel. I just recently coded a Perl application to interface with Infoblox to support personnel could quickly and easily update the DHCP MAC address list which is used to filter DHCP requests (poor mans NAC). The goal was to allow help desk and field engineers to make updates to Infoblox without requiring them to log into the Infoblox appliance. I had to code all sorts of data validation routines within JavaScript to make it as bullet proof as possible.  I took the same Perl application and allowed Symantec’s Altiris to make CGI calls to it while provisioning desktops and laptops thereby completely automating the process of on-boarding new desktops and laptops into the network.

Now that I have 2 Juniper SRX 650s and 31 Juniper SRX 210H to manage I’ll be definitely be looking into what I can do to help automate the management of these devices and JUISE will probably be the first component I look at in my quest to make “IT easier”.

Closing

Let me say thanks to Derrick and the entire Juniper team. The presentations were very informative and educational.

Cheers!

Configure the Juniper SRX 210 Branch Office

Login to the serial console of the Juniper SRX gateway with the username of “root” (password should be blank). We’ll start the configuration by loading the factory defaults and then setting up some basic system information. We’ll add a user called “admin” for future use.

root@% cli
root> configure
Entering configuration mode
[edit]
load factory-default
set system host-name vpn-srx210h-gw
set system domain-name vpn.acme.org
set system time-zone America/New_York
set system root-authentication plain-text-password
set system login user admin full-name Administrator
set system login user admin uid 100
set system login user admin class super-user
set system login user admin authentication plain-text-password

Lets set the SNMP information including a reference to the routing-instance “centralized-internet”. This will allow us to perform SNMP polls against this VRF from the specific IP management workstations we’ve listed below.

set snmp description "Juniper SRX 210H"
set snmp location "Local Branch Office (Somewhere, USA)"
set snmp contact "Technology Team"
set snmp community readonlystring authorization read-only
set snmp community readonlystring routing-instance centralized-internet clients 10.1.20.50/32
set snmp community readonlystring routing-instance centralized-internet clients 10.2.20.50/32
set snmp community readwritestring authorization read-write
set snmp routing-instance-access
commit

Let’s start by configuring the WAN (public) and LAN (private) IP addresses. The interface ge-0/0 is the public interface which will connect to the Internet Service Provider. The interface vlan.0 is the private interface which is made up of physical interfaces ge-0/1 – ge0/7. We’ll also delete the factory default address of 192.168.1.1.

set interface ge0/0/0 unit 0 family inet address 1.51.88.10/30
set routing-options static route 0.0.0.0/0 next-hop 1.51.88.9
set interface vlan unit 0 family inet address 10.1.200.1/24
delete interfaces vlan unit 0 family inet address 192.168.1.1/24

Let’s enable the web management GUI on the public interface and set the TCP port to 10443 as opposed to the default of 443.

set system services web-management https interface ge-0/0/0.0
set system services web-management https port 10443

Let’s enable the system services we want to allow in the untrust zone.

set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services https

Let’s repeat those commands for the specific public interface.

set security zones security-zone untrust interface ge-0/0/0 host-inbound-traffic system-services ike
set security zones security-zone untrust interface ge-0/0/0 host-inbound-traffic system-services ping
set security zones security-zone untrust interface ge-0/0/0 host-inbound-traffic system-services https

Let’s build the VPN tunnel interfaces to Juniper SRX 650. We’ll need to assign IP addresses to these interfaces since we’re setting up a Point to MultiPoint network with route based VPN tunnels.

set interfaces st0 unit 0 family inet address 10.1.255.120/24
set interfaces st0 unit 0 family inet mtu 1500

Let’s finish up setting up the security zones and adding the VPN interfaces.

set security zones security-zone vpn interfaces st0.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust host-inbound-traffic system-services all

Let’s not forget to allow the remote management via the web interface. (added 10/18/2011)

set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn host-inbound-traffic protocols all
set system services web-management http interface st0.0

Let’s setup the IKE policies and pre-shared-key for both VPN tunnels, please make sure to replace the preshared-key and IP addressing below with the values that’s specific to your installation (not the example one). I use the acronym PDC to stand for Primary Data Center since we have both a primary and alternate/standby.

set security ike policy PDC-IKE mode main
set security ike policy PDC-IKE proposal-set standard
set security ike policy PDC-IKE pre-shared-key ascii-text "c3DrmFiRei37NpW65GnygdOorykE0ZjnpyX"
set security ike gateway PDC-GW ike-policy PDC-IKE
set security ike gateway PDC-GW address 2.1.1.25
set security ike gateway PDC-GW external-interface ge-0/0/0.0

set security ipsec policy ACME-VPN proposal-set standard
set security ipsec policy ACME-VPN perfect-forward-secrecy keys group2

set security ipsec vpn PDC-VPN ike gateway PDC-GW
set security ipsec vpn PDC-VPN ike ipsec-policy ACME-VPN
set security ipsec vpn PDC-VPN bind-interface st0.0
set security ipsec vpn PDC-VPN establish-tunnels immediately

The Juniper SRX still acts as a firewall so we need to create policies to allow the traffic to flow. I’ll set everything wide open for this example.

edit security policies from-zone trust to-zone vpn
set policy local-to-spokes match source-address any
set policy local-to-spokes match destination-address any
set policy local-to-spokes match application any
set policy local-to-spokes then permit
exit

edit security policies from-zone vpn to-zone trust
set policy local-to-spokes match source-address any
set policy local-to-spokes match destination-address any
set policy local-to-spokes match application any
set policy local-to-spokes then permit
exit

edit security policies from-zone vpn to-zone vpn
set policy local-to-spokes match source-address any
set policy local-to-spokes match destination-address any
set policy local-to-spokes match application any
set policy local-to-spokes then permit
exit

We’ll create a virtual routing instance setting the next-hop to interface st0.0

set routing-options interface-routes rib-group inet centralized
set routing-options rib-groups centralized import-rib inet.0
set routing-options rib-groups centralized import-rib centralized-internet.inet.0

We’ll create a virtual routing instance setting the next-hop to interface st0.0

set routing-instances centralized-internet instance-type virtual-router
set routing-instances centralized-internet interface st0.0
set routing-instances centralized-internet routing-options static route 0.0.0.0/0 next-hop st0.0

This filter will direct all traffic to the centralized-internet routing table. The first term allows us to add an exception although it’s not used today but can be for testing and troubleshooting by changing the IP address to a valid LAN client IP address. This filter allows traffic from 10.1.200.254 to be routed based on the default routing-instance which would send it directly out to the Internet as opposed to routing it over the VPN tunnel back to the main office.

set firewall filter centralized-internet-filter term 1 from destination-address 10.1.200.254/32
set firewall filter centralized-internet-filter term 1 then accept
set firewall filter centralized-internet-filter term 2 then routing-instance centralized-internet

We’ll apply the filter we created above to traffic ingressing the interface vlan.0.

set interface vlan unit 0 family inet filter input centralized-internet-filter

Let’s configure a DHCP relay instance to forward DHCP requests to a centralized server (10.1.1.40).

set forwarding-options helpers bootp relay-agent-option
set forwarding-options helpers bootp description "Branch DHCP Relay"
set forwarding-options helpers bootp server 10.1.1.40 routing-instance centralized-internet
set forwarding-options helpers bootp vpn
set forwarding-options helpers bootp interface vlan.0

Let’s configure the TCP-MSS value so we don’t have any MTU issues tunneling over IPSec

set security flow tcp-mss ipsec-vpn mss 1350

Let’s configure the debug options so we can troubleshoot any IKE/IPSEC issues.

set security ike traceoptions file size 1m
set security ike traceoptions flag policy-manager
set security ike traceoptions flag ike
set security ike traceoptions flag routing-socket

We need to disable IDP to prevent unwanted error messages from filling the log.

set system processes idp-policy disable

Now we need to commit and save all the changes we’ve made above.

commit

If you have issues committing the changes with errors such as :

root# commit
[edit system]
'autoinstallation'
incompatible with 'forwarding-options helpers bootp'
[edit forwarding-options helpers]
'bootp'
incompatible with 'system autoinstallation'
error: commit failed: (statements constraint check failed)

Just issue the following command and re-issue the commit

root# delete system autoinstallation

If you are connected to the public Internet you can sync the date/time via NTP over the public interface.

root# set date ntp 173.9.142.98

Configure the Juniper SRX 650 Main Office

Now we need to configure the Juniper SRX 650 which is the main office side of the tunnel.

Let’s create an IKE policy for this specific connection. Please remember to substitute the preshared-key and IP addresses I use in the example below.

set security ike policy TESTLAB-IKE mode main
set security ike policy TESTLAB-IKE proposal-set standard
set security ike policy TESTLAB-IKE pre-shared-key ascii-text "c3DrmFiRei37NpW65GnygdOorykE0ZjnpyX"

Let’s create a gateway and tie it together with our IKE policy. Let’s set the public IP address of the branch office VPN site.

set security ike gateway TESTLAB-GW ike-policy TESTLAB-IKE
set security ike gateway TESTLAB-GW address 1.51.88.10
set security ike gateway TESTLAB-GW external-interface ge-0/0/0.0

Let’s create a VPN policy and tie all the policies together binding it to st0.10 which is a multipoint interface on the main office side.

set security ipsec vpn TESTLAB-VPN ike gateway TESTLAB-GW
set security ipsec vpn TESTLAB-VPN ike ipsec-policy ACME-VPN
set security ipsec vpn TESTLAB-VPN bind-interface st0.10
set security ipsec vpn TESTLAB-VPN establish-tunnels immediately

Since we’re not yet doing OSPF we need to create a static route in the appropriate routing instance.

set routing-instances routing-table-lan routing-options static route 10.1.200.1/24 next-hop 10.1.220.10

I’m omitting a few steps on the Juniper SRX 650 to implement the Multipoint VPN feature but it’s well documented (as most of this is) in the Juniper documentation.

References;

• Juniper SRX Series Multipoint VPN Configuration with Next-Hop Tunnel Binding

Cheers!

We utilize Juniper’s Network Connect client to provide connectivity over a broadband Internet connection for all our remote call center agents. We recently had an issue where the Network Connect client couldn’t enable it’s GINA integration with Windows XP. The GINA automatically launches the Network Connect sign-in function at every Windows user sign-in. This provides the users a single sign-on capability to both log into Windows XP and establish remote connectivity.

Upon our first connection to the Juniper SSL Secure Access appliance we were prompted to install the Network Connect client. During that installation the client prompted us to enable the GINA functionality but then returned the following error, “Network Connect is configured to start when Windows starts, but this function cannot be enabled due to a conflict with another Windows application (nc.windows.app.23679)”.

We currently use both PointSec and Courion internally so I originally suspected one of these application although I quickly discovered that neither of these applications where installed. So I fired up Regedit and went looking to see which GINA was installed other than the default Microsoft GINA.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Under the GinaDLL registry key I found “awgina.dll” configured which is the GINA for Symantec’s pcAnywhere. I deleted the registry key (while pcAnywhere was installed we weren’t using it’s GINA capabilities) , uninstalled the Juniper Network Connect client and rebooted the laptop. I ran back through the installation again was this time I was successfully able to enable the GINA capabilities of the Network Connect client. I’m not 100% sure that you need to remove the client and re-install it although that was the safest course of action at the time for me.

Here are some of the more popular GINAs in the industry;

• Cisco VPN client (csgina.dll)
• Microsoft GINA (msgina.dll)
• Nortel Networks VPN client (nngina.dll)
• RSA SecurID (aceGina.dll)
• Novell GINA (nwgina.dll)
• pcAnywhere32 (awgina.dll)
• IBM Fingerprint GINA (vrlogon.dll)
• Pointsec GINA (pssogina.dll)
• Courion Password Reset (ssogina.dll)
• Juniper Network Connect (dsNcGina.dll)

Cheers!

References;

http://support.microsoft.com/kb/321031

http://www.juniper.net/techpubs/software/ive/admin/6.5-ClientSideChanges.pdf

I had to spend more than a few minutes trying to get the DHCP relay working on the SRX 210. The configuration was pretty straight forward, the trick in the end was the “vpn” statement (see below) that allows the DHCP/BOOTP packets to be relayed across a VPN tunnel. Please note that the DHCP server at 10.1.1.1 is accessible via the VPN tunnel.

forwarding-options {
 helpers {
  bootp {
   relay-agent-option;
   description "Branch DHCP Relay";
   server 10.1.1.1;
   maximum-hop-count 10;
   minimum-wait-time 1;
   vpn;
   interface {
    vlan.0;
   }
  }
 }
}

The next big step will be deploying OSPF between all the SRX gateways.

Cheers!

You can find the release notes for JUNOS 10.1 on the Juniper website.

We started by placing the software (junos-srxsme-10.1R1.8-domestic.tgz) on an internal web server (10.1.20.1).

The upgrade itself took at least 5 minutes and the reboot took at least another 5 minutes, you definitely need to be patient when upgrading the SRX. It took a really long time compared to anything else I’ve upgraded in the past.

root> request system software add http://10.1.20.1/junos-srxsme-10.1R1.8-domestic.tgz reboot
/var/tmp/incoming-package.1145                        1500 kB 1500 kBps
Package contains junos-10.1R1.8.tgz ; renaming ...
NOTICE: Validating configuration against junos-10.1R1.8.tgz.
NOTICE: Use the 'no-validate' option to skip this if desired.
Formatting alternate root (/dev/ad0s2a)...
/dev/ad0s2a: 631.0MB (1292236 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 157.75MB, 10096 blks, 20224 inodes.
super-block backups (for fsck -b #) at:
32, 323104, 646176, 969248
** /dev/altroot
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 317928 free (24 frags, 39738 blocks, 0.0% fragmentation)
Checking compatibility with configuration
Initializing...
Verified manifest signed by PackageProduction_10_0_0
Verified junos-10.0R1.8-domestic signed by PackageProduction_10_0_0
Using junos-10.1R1.8-domestic from /altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic
Copying package ...
Saving boot file package in /var/sw/pkg/junos-boot-srxsme-10.1R1.8.tgz
veriexec: cannot update veriexec for /cf/var/validate/chroot/junos/etc/voip/musiconhold.conf: No such file or directory
Verified manifest signed by PackageProduction_10_1_0
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
cp: /cf/var/validate/chroot/var/etc/resolv.conf and /etc/resolv.conf are identical (not copied).
cp: /cf/var/validate/chroot/var/etc/hosts and /etc/hosts are identical (not copied).
Port based Network Access Control: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 84,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 0,a reboot or software upgrade may be required
Port based Network Access Control:
Port based Network Access Control: rtslib: ERROR IDL IDR Decode Error -1(Garbled Message)
Link Layer Discovery Protocol: rtslib: ERROR kernel does not support all messages: expected 95 got 94,a reboot or software upgrade may be required
Link Layer Discovery Protocol:
Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg gencfg: expected 104 got 103,a reboot or software upgrade may be required
Link Layer Discovery Protocol:
Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg gencfg-stats: expected 104 got 103,a reboot or software upgrade may be required
Link Layer Discovery Protocol:
Link Layer Discovery Protocol: rtslib: WARNING version mismatch for msg fc fabric: expected 97 got 0,a reboot or software upgrade may be required
Link Layer Discovery Protocol:
mgd: commit complete
Validation succeeded
Installing package '/altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic' ...
Verified junos-boot-srxsme-10.1R1.8.tgz signed by PackageProduction_10_1_0
Verified junos-srxsme-10.1R1.8-domestic signed by PackageProduction_10_1_0
Saving boot file package in /var/sw/pkg/junos-boot-srxsme-10.1R1.8.tgz
JUNOS 10.1R1.8 will become active at next reboot
Saving package file in /var/sw/pkg/junos-10.1R1.8 ...
cp: /altroot/cf/packages/install-tmp/junos-10.1R1.8-domestic is a directory (not copied).
Saving state for rollback ...
Rebooting ...
shutdown: [pid 1888]
Shutdown NOW!

*** FINAL System shutdown message from root@ ***
System going down IMMEDIATELY

I hope to post some additional information as we move forward with the Juniper SRX platform.

Cheers!

You might recall that I wrote about software release 6.5R2 back in December 2009, detailing our troubles with the 6.5R1 software release and our hope that Juniper could save the day.

Thankfully I’m hear to tell that software release 6.5R2 for the Juniper Secure Access SSL VPN appliances appears to be a winner!

About six days ago I upgraded a pair of SA4000s running 6.5R1 to 6.5R2. The primary goal was to resolve the compatibility issues that were introduced in 6.5R1 and finally provide support for both Windows Vista 64-bit and Windows 7 64-bit. The actually upgrade of the appliances was pretty straight forward and the initial testing didn’t reveal any issues. Unfortunately there’s no amount of testing can always predict how things will go when working with home personal computers and the myriad of software available. We waited nervously for the first few days… thankfully the calls never came. While we had one or two users that needed some hand holding during the software upgrade/installation process, the majority of our 800+ users didn’t seem to have any issues whatsoever.

Let me congratulate Juniper Networks on a job well done!

I’ve created discussion forum for anyone that would like to discuss the Juniper Secure Access SSL VPN appliances. If you have a question or would like to make a comment why not join the discussion?

Cheers!

• Juniper SSL VPN Secure Access 6.5 Available
• Norton 360 and Juniper SSL VPN WSAM
• Juniper SSL VPN Upgrade – Client Software
• Juniper SSL VPN Appliance and Windows Vista 64-Bit

I will be testing 6.5R2 on a spare SA4000 appliance (waiting for an evaluation license key from Juniper) and will share my results with everyone here.

You can find the release notes for 6.5R2 here.

Windows 7

When will Juniper Network’s SSL VPN (SA platform/IVE OS) support Microsoft’s Windows 7 OS as a supported client platform? You can refer to Juniper knowledge base article, KB13195.

Juniper states that “Microsoft Windows 7 is qualified” (not supported) on 6.5R2 and there should be no major issues aside from the know caveats/issues.

Known Issues/Caveats:

* All client components:

1. 1. Unable to install (or) launch client component using IE8 (64 bit). This is expected as IE8 (64 bit) browser is not supported. Please use IE8 (32 bit) to avoid this issue. (470316)

* EndPoint Integrity:

1. When using IE 8 on 64-bit Windows 7 the reason string is not available when a patch assessment policy fails. (485421)

* Secure Virtual Workspace (SVW):

1. When opening a file with Windows Photo Viewer inside SVW, the file is shown on the real desktop rather than inside the SVW session. (447409)
2. On Windows 7, saving a MS Office 2003 file inside SVW fails. (486104)
3. On Windows 7, Control Panel is accessible inside SVW even if it is disabled under application to allow list. (486104)

* WSAM:

1. If Kaspersky Anti-Virus Version 2009 (8.0.0.506) is installed on a Windows 7 (OR) Windows Vista computer, WSAM will not be able to intercept and secure traffic. This issue is not seen with older versions of Kaspersky Anti-Virus (434715).

Cheers!

Update: January 6, 2009

I should point out that I’ve discovered that JSAM will not launch properly with Windows 7 (64-bit) when running 6.5R1 software. I initially thought it might have something to-do with the 32-bit/64-bit versions of Internet Explorer or the 32-bit/64-bit versions of the Java Runtime Environment. I tested the same machine today with 6.5R2 and it worked fine using the 32-bit version of Internet Explorer. I didn’t try the 64-bit version of Internet Explorer. So it would appear the problem is resolved in 6.5R2 software, please see the forums for additional details.

I’ve essentially boiled my options down to two possible solutions (vendors);

Juniper SRX 240

Cisco ASA 5550

So which do I choose and how to best evaluate the different products. The primary purpose of the device is to provide branch office IPSec tunnels. The product needs to support OSPF and it needs some limited support for Multicast over VPN.

This morning I was lucky enough to have one of our preferred vendors, who just happens to be a Juniper reseller, come on site and help setup 2 Juniper SRX 210 gateways for us to demo.  I’ve never worked with a Junos based product and while the web based GUI was fairly straightforward the CLI interface is going to take some time to get use to. It’s not like Cisco, or Nortel or Brocade, or Blade Technologies. Thankfully I did find a quick start guide that helped get my feet wet with Junos.

Once I’m done with the Juniper SRX I’ll need to turn my attention to the Cisco ASA (Tom you know what I’ll be calling for soon – demo time).

I’ll post a summary once I have some thoughts about the Juniper SRX. Anyone care to comment regarding either the Juniper SRX or the Cisco ASA as it pertains to branch office VPN tunnels? As a note I’m already migrating our Nortel VPN end-users to our Juniper SSL VPN Secure Access 4000 appliances.

Cheers!

If you’re a regular follower you know that we recently upgraded our Juniper Secure Access 4000 SSL VPN appliances from 6.2R1 to 6.5R1. You also know that we discovered that the old Juniper Installer Service from 6.2R1 is unable to upgrade the Juniper software components for non-Administrator users. You’ll need to manually install the Juniper Installer Service if your users are non-Administrators of the local computer they work on.

Norton 360, Norton Internet Security, Norton AntiVirus 2010

We’ve been successful in duplicating customer reported issues between Norton 360 or Norton Internet Security or Norton AntiVirus 2010 and Juniper’s Windows Secure Application Manager (WSAM). Windows XP users running any of the above Norton products will generally experience a blue screen of death crash (IRQL_NOT_LESS_OR_EQUAL) when clicking on a bookmark that relies on the WSAM client. Windows Vista users running any of the above Norton products will generally hang the machine (only after the first reboot from the time the product was installed) when launching the WSAM client software upon logging into the Juniper appliance. As a side note to this problem, users running Norton 360 (v3.0.0.135) do not experience this problem, only users running Norton 360 (v3.5.2.11). Juniper Technical Assistance Center (JTAC) has acknowledged that a problem exists and is working to release 6.5R2 in November 2009 to address the problems with Norton.

Symantec AntiVirus v10.x

Users running Symantec Corporate Edition AntiVirus v10.0, v10.2 experience intermittent local name resolution issues from DNS, WINS and local NetBIOS name broadcasts while the WSAM client software is running. The name resolution issues are not present when WSAM is not running. A possible workaround is to create static HOST entries in the local HOSTS file (C:\Windows\System32\drivers\etc\hosts). JTAC has acknowledged that a problem exists, I’m still waiting for additional information from JTAC.

ESET NOD32 Smart Security 4 and Antivirus 4

The testing in our lab has shown varied results. In some instances the latest and greatest release of NOD32 appears to work fine with WSAM. The later versions of NOD32 appear to add exceptions for the Juniper software components in the advanced configuration section under ‘Web Access Protection’. Older versions of NOD32 appear to block WSAM from communicating with the Juniper Secure Access Appliances even though the application indicates that it’s ‘Connected’. In our testing we did find that JSAM and NC both appeared to function properly with the latest version of ESET NOD32 installed. We’ve implemented a workaround for our customers using JSAM and that appears to be working for our users.

Check Point ZoneAlarm Security Suite

We’ve been able to re-create this problem and also have a ticket open with JTAC. We’ve tried adding exceptions and making IP addresses ‘trusted’ in Check Point’s language. We’ve been completely unsuccessful in getting this product to work with WSAM. The symptoms are identical to NOD32, where the WSAM application launches successfully and indicates that it’s ‘Connected’ but your unable to connect to any WSAM applications. In our testing we did find that JSAM and NC both appeared to function properly with ZoneAlarm installed. I have a support ticket open with JTAC but I haven’t received any feedback yet. We’ve implemented a workaround for our customers using JSAM.

I also learned from a user that Spybot Search & Destroy has a feature that can ‘lock’ the local host file on a computer preventing Java Secure Application Manager (JSAM) from operating properly.

Anyone else having any issues of findings they care to share?

We’ve been planning to upgrade from 6.2R1 to 6.5R1 so we can support our Windows Vista 64-bit users, a population that seems to be growing rapidly these days now that resellers are shipping machines with 4Gb of memory requiring a 64-bit operating system.

Over the past week we’ve been working (along with Juniper) to confirm that upgrading from 6.2R1 to 6.5R1 won’t cause us any unforeseen problems. We’ve tested the upgrade on a spare SA4000 and found no problems worth mentioning on the appliance itself. We did, however, encounter problems with the client software. The Juniper Installer Service is designed to automatically upgrade itself and any associated Juniper software such as Windows Secure Application Manager (WSAM), Network Connect (NC) and Hostchecker. The Juniper Installer Service is critical because it allows non-Administrator users of the personal computer to upgrade the Juniper software without requiring Administrator access. When you have a large deployment with hundreds or thousands of users (especially where those users are outside of your managed environment) it is crucial that this process work flawlessly. It would seem that the upgrade process between 6.2R1 and 6.5R1 is broken. In some discussions with TJAC they didn’t seem surprised by the information yet I don’t ever recall reading anything in the release notes acknowledging that problem.

non-Administrator users

I tested the upgrade process and the client software didn’t upgrade itself properly when a user without Administrator rights connected to the appliance. The browser would just hang at /dana/home/starter0.cgi?check=yes trying to check for the presence of the Juniper Installer Service. After about 30 seconds the browser would try to start Windows Secure Application Manager (if it was configured to launch automatically) and hang again. After another 60 seconds the appliance would try to launch a Java applet to install the WSAM client which would fail because the user wasn’t an Administrator of the PC and didn’t have the proper rights to install the WSAM client software.

Administrator users

If a user with Administrator rights connected to the appliance the browser immediately prompted the user to install the Juniper Installer Service (ActiveX object).  The Windows Secure Application Manager (WSAM) also installed/upgraded itself without issue along with the Network Connect (NC) client. In short there were no issues with the upgrade so long as the user was an Administrator of the personal computer.

Solution

The solution to the problem with non-Administrator users is simple but a painful task depending on how diverse your user population might be. An Administrator of the personal computer must manually install the Juniper Setup Client (formerly called the Juniper Installer Service) onto the personal computer. Once that task is complete non-Administrator users can connect to the Juniper appliance and any remaining Juniper software components will be properly installed through the Juniper Setup Client even though the user is a non-Administrator and doesn’t specifically have rights to install software.

In a previous post I hinted that the WSAM client didn’t function properly in 6.5R1 on a Windows Vista 64-bit computer. That problem seems to have remedied itself although I’m not really sure what changed or what might have been broken in my initial testing. All subsequent testing shows that WSAM works fine from a Windows Vista 64-bit computer. There are some documented issues using the 64-bit version of Internet Explorer within Windows Vista so I would advise users stick to the 32-bit version for now.

Cheers!
Update: Wednesday September 30, 2009

I thought I would post an update since this article seems to be attacking a lot of attention around the net. Over the past three months we had around 1,900 different users login from almost 3,400 different machines (users are mobile). While the majority of issues have been resolved by un-installing the Juniper client software, rebooting and re-installing the client software there are a few that require some extra configuration and one that is currently broken. If you are running Nortel Internet Security 2009 or Norton 360 there is a unknown issues with the latest (GoLive update) version that will cause Windows Vista (Norton forums) to hang and Windows XP to blue screen. If you are using ESET NOD32 you’ll need to add specific exemptions for Internet Explorer and the Juniper programs, you can see a example to the left (click to enlarge).

I also had a brief discussion with JTAC this week in which I was told that the Juniper Installer Service and the Juniper Setup Client are two different pieces of software.  I’ll need to dig up some additional documentation to see if I can untangle that mystery.

This latest version of software now supports Windows Secure Application Manager (WSAM) when used on Windows XP 64-bit and Windows Vista 64-bit clients. There was no mention of Windows 7 which is due to be released October 22, 2009. I did find it interesting that Internet Explorer 8 was only “compatible” with respect to a few of the features while Internet Explorer 7 was “qualified” with all features (review Juniper Secure Access 6.5 Supported Platforms document for specifics). I did a quick search over in the Juniper forums and found some reports that Host Checker wasn’t working properly with Windows 7 RC.

There were two new features that jumped out at me in the What’s New document;

RDP Launcher

SA 6.5 simplifies the use of RDP sessions for end users without requiring them or administrators to create bookmarks.

• Simplifies ease of use for remote users to RDP into remote desktops by merely clicking a button or entering a hostname or IP Address of the remote computer.
• Simplifies the configuration for administrators and reduces the number of support calls from users who are unable to figure out how to RDP to remote computers.

VDI Support

Secure Access (SA) version 6.5 interoperates with VDI products, including VMWare’s View Manager and Citrix’s XenDesktop, enabling administrators to deploy virtual desktops alongside the SA series of SSL VPN devices. This allows the SA administrator to configure centralized remote access policies for users who access their virtual desktops.

• This provides a centralized point of configuration for administrators to configure remote access policies for virtual desktop access through leading virtualization products from VMWare and Citrix.
• SA 6.5 provides end users the VDI client to access the virtual desktop through, and provides flexible client fallback options thereby simplifying the deployment and management for administrators.

We have a lot of folks looking to access their corporate desktops remotely and the RDP (Terminal Services) feature of the Juniper SSL VPN really helps fill that role.

Cheers!

References;

What’s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.5
Juniper Secure Access 6.5 Release Notes
WSAM and Network Connect Error Messages Release 6.5
Juniper Secure Access 6.5 Support Platforms

Update: Thursday November 5, 2009

Let me get right to the point, I would not recommend anyone deploy 6.5R1 on their Juniper Secure Access appliances. There are known issues with the Juniper Windows Secure Application Manager (WSAM) and the following four security suites; Norton 360, Symantec AntiVirus, Zone Alarm Security, ESET NOD32. Users with Norton 360 could experience a blue screen of death (BSOD) using the Juniper Windows Secure Application Manager. Juniper has a hotfix available for 6.5R1 that resolves the BSOD issues with Norton 360. The hotfix is not generally available on the Juniper website so you must contact JTAC for the hotfix.

Additional information can be found at this post; http://blog.michaelfmcnamara.com/2009/10/norton-360-and-juniper-ssl-vpn-wsam/

Update: Friday September 19, 2009

A quick update… I’ve setup a spare SA4000 and received a demo license from Juniper to test the 6.5R1 software release (thanks Matt!). I’m happy to report that the upgrade on the appliance was very smooth although it took about 6 minutes for the appliance to boot back up giving me a few frightful thoughts. Unfortunately the same can’t be said of the client software. I’m still in the process of testing but it appears that non-Administrator users (users that don’t have Administrator rights on the PC) won’t be functional after the upgrade until an Administrator manually installs the latest and greatest Juniper Installer Service. The Juniper Installer Service is designed to allow the client software to upgrade when the user doesn’t have Administrator rights. Users with Administrator rights work fine so long as they answer the prompts to install the new version of the Juniper Installer Service. I hope to release a detailed post in the next few days including some testing of Windows Vista 64-bit desktops.

Within my organization we’ve been testing different technologies and solutions over the past 6 months. We broke the all the options down into two basic classes. The first was an all hardware solution while the second was an all software solution. A standard leased laptop was necessary to provide the end user (call center agent) access to the back-end applications necessary to-do his/her work. We also didn’t want to involve any home personal computers for the purpose of security and regulatory compliance.

All Hardware

• Nortel Business Secure Router 222
• Nortel 1150e IP Phone
• Standard leased laptop

All Software

• Standard leased laptop
• Nortel i2050 IP Softphone
• Juniper SSL VPN Client (Network Connect)

When you factor in all the ISM licensing costs the all hardware solution starts to get very pricey but will provide the best possible quality and stability. On the flip side the all software solution will be more cost effective but could provide less quality and depending on the applications being run could by less stable over an 8 to 12 hour shift (call center agent).

We’ve had about 5 users (2 all hardware, 3 all software) deployed over the past few months with great success. We’ve had a number of issues with the local cable provider (Comcast Cable) going up and down occasionally but those problems were resolved when a cable technician replaced a splitter at the pole.

The other issue we needed to tackle was how to provide remote control support for our Help Desk and Engineers over the Internet. We turned to Ultra VNC and are using it’s Single Click solution in conjunction with it’s repeater add-on. It provides a great cost effective solution to using a commercial solution such as WebEx or GoToMyPC.

Cheers!