I bought 2 EX4200 from eBay and wanted to do virtual-chassis. Here are some things I learned:
1. The 2 switches came with different Software version 10 and 12.
2. Had to buy the vcp cable for virtual chassis.
3. Had to connect the cable in the back vcp-0 to vcp-0 and vcp-1 to vcp-1 to make a ring, else wouldn't work. You'll see a status of "NotPrsnt."
4. Both switches need to be on the same software, so this is what I did:
I had to downgrade the new switch to 10.4R5.5 – the simplest and safest way to do this is with the switch in standalone and put the image on a USB Key and plug in back of EX4200.
Here are the steps:
a. Download your image from Juniper.net and put in the root of a FAT32 formatted USB Key in your laptop/
b. Insert the USB key into the back of the EX4200 and boot the switch if Needed.
Then mount the usb key
root@:RE:0% mount_msdosfs /dev/da1s1 /mnt
Once the USB has been mounted you can run the request system software add command. This command installs any software version you specified...upgrade or downgrade.
root> request system software add /mnt/jinstall-ex-4200-10.4R5.5-domestic-signed.tgz
You now have to be patient as this process takes a few minutes, once the image has been loaded you will be asked to reboot.
Checking pending install on fpc0
Validating on fpc0
Done with validate on all virtual chassis members
fpc0:
WARNING: A reboot is required to install the software
WARNING: Use the ‘request system reboot’ command immediately
root@:RE:0% cli
{master:0}
root> request system reboot
Reboot the system ? [yes,no] (no) yes
*** FINAL System shutdown message from root@ ***
System going down IMMEDIATELY
Once the switch has rebooted a show version will show the switch is now running the 10 or any Image you had installed.
root> show version
3/16/2015
BGP LAB 1: BGP Access List Filtering and Answer
2 routers connected with eBGP. Want to filter some routes (10.x.x.x) from the neighbor router using Extended Access List.
Goal:
Config like diagram.
Configure EBGP between router Tristram and Sanctuary.
Advertise the loopback interfaces on both routers in BGP.
Configure a summary that advertises 10.0.0.0/8 towards router Sanctuary.
Configure an extended access-list on router Sanctuary that will block the 10.0.0.0/8 prefix but allows all other prefixes.
Configure an extended access-list on router Tristram that blocks network 10.2.2.0/24.
Answer:
Tristram Router:
router bgp 1
no synchronization
bgp log-neighbor-changes
network 1.1.1.1 mask 255.255.255.255
network 10.0.0.0 === Advertise the 10.x network, then need the summary-only next statement.
aggregate-address 10.0.0.0 255.0.0.0 summary-only === This is to summarize the 10.x.
neighbor 192.168.12.2 remote-as 2
neighbor 192.168.12.2 distribute-list 100 in ===Deny the ACL 100 from coming in.
access-list 100 deny ip 10.0.0.0 0.255.255.255 any === Deny the 10.x network.
access-list 100 permit ip any any
Sanctuary Router:
router bgp 2
no synchronization
bgp log-neighbor-changes
network 2.2.2.2 mask 255.255.255.255
network 10.2.2.0 mask 255.255.255.0
aggregate-address 10.0.0.0 255.0.0.0 summary-only
neighbor 192.168.12.1 remote-as 1
neighbor 192.168.12.1 soft-reconfiguration inbound
neighbor 192.168.12.1 distribute-list 100 in
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
sh ip bgp nei 192.168.12.1 received-routes
sh ip route
====================================
Note: I got this from gns3vault.com, but I posted my answer for my own reference.
Goal:
Config like diagram.
Configure EBGP between router Tristram and Sanctuary.
Advertise the loopback interfaces on both routers in BGP.
Configure a summary that advertises 10.0.0.0/8 towards router Sanctuary.
Configure an extended access-list on router Sanctuary that will block the 10.0.0.0/8 prefix but allows all other prefixes.
Configure an extended access-list on router Tristram that blocks network 10.2.2.0/24.
Answer:
Tristram Router:
router bgp 1
no synchronization
bgp log-neighbor-changes
network 1.1.1.1 mask 255.255.255.255
network 10.0.0.0 === Advertise the 10.x network, then need the summary-only next statement.
aggregate-address 10.0.0.0 255.0.0.0 summary-only === This is to summarize the 10.x.
neighbor 192.168.12.2 remote-as 2
neighbor 192.168.12.2 distribute-list 100 in ===Deny the ACL 100 from coming in.
access-list 100 deny ip 10.0.0.0 0.255.255.255 any === Deny the 10.x network.
access-list 100 permit ip any any
Sanctuary Router:
router bgp 2
no synchronization
bgp log-neighbor-changes
network 2.2.2.2 mask 255.255.255.255
network 10.2.2.0 mask 255.255.255.0
aggregate-address 10.0.0.0 255.0.0.0 summary-only
neighbor 192.168.12.1 remote-as 1
neighbor 192.168.12.1 soft-reconfiguration inbound
neighbor 192.168.12.1 distribute-list 100 in
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
sh ip bgp nei 192.168.12.1 received-routes
sh ip route
====================================
Note: I got this from gns3vault.com, but I posted my answer for my own reference.
3/04/2015
How to Secure Your Network
This is a precursor to my new post on how to secure your network from the outside.
Securing networks from the outside in is quite easy. All you need is to buy an appliance device, either a hardware device or software device to do the job.
But how does one decide with vendor to get, Cisco ASA, Juniper, or others, like the NextGen Firewall and UTM.
I will tell you that we decided to get rid of our Cisco ASA FW and Content filtering, with Sophos UTM. And it has worked wonderfully. NO SPAM, Virus, Web filtering, stopping outside threat coming in, etc.
On my next post I will tell you why.
Securing networks from the outside in is quite easy. All you need is to buy an appliance device, either a hardware device or software device to do the job.
But how does one decide with vendor to get, Cisco ASA, Juniper, or others, like the NextGen Firewall and UTM.
I will tell you that we decided to get rid of our Cisco ASA FW and Content filtering, with Sophos UTM. And it has worked wonderfully. NO SPAM, Virus, Web filtering, stopping outside threat coming in, etc.
On my next post I will tell you why.
Cisco to Juniper (Junos) Redistributing EIGRP to OSPF
In my previous post,
A problem comes up when you're redistributing from EIGRP to OSPF with external routes, ie. external EIGRP.
This is when you use the redistribute command in EIGRP, which gives AD of 170. To solve this, you'll need to add:
distance ospf external 171
in the router ospf 1 process. Do a "show ip route ospf" in the core router that does the EIGRP/OSPF redistribution to see the difference.
To simulate:
Router 4 / router 6 / other normal router:
router eigrp 2
network 172.17.39.0 0.0.0.3
redistribute connected
redistribute static === The redistribute command will have the AD of 170 (external EIGRP). Internal EIGRP is 90 with the "network" command.
Router 2: == This is the router that does the EIGRP/OSPF redistribution and connected to the JUNIPER.
router eigrp 2
network 172.17.0.0
redistribute ospf 1 metric 100000 1 255 1 1500 route-map OSPF-TO-EIGRP
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
redistribute eigrp 2 subnets route-map EIGRP-TO-OSPF
network 172.17.34.0 0.0.0.3 area 0
default-information originate
distance ospf external 171 === Need this on the router that does the EIGRP/OSPF redistribution. Else traffic FROM EIGRP domain GOING TO another EIGRP domain that did the REDISTRIBUTE STATIC, etc. will take the path of OSPF, and not through the EIGRP to EIGRP.
Router 3: == The core router that does the EIGRP/OSPF redistribution and connected to the JUNIPER.
router eigrp 2
network 172.17.0.0
redistribute ospf 1 metric 100000 1 255 1 1500 route-map OSPF-TO-EIGRP
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
redistribute eigrp 2 subnets route-map EIGRP-TO-OSPF
network 172.17.35.0 0.0.0.3 area 0
default-information originate
distance ospf external 171 === Need this on the router that does the EIGRP/OSPF redistribution. Else traffic FROM EIGRP domain GOING TO another EIGRP domain that did the REDISTRIBUTE STATIC, etc. will take the path of OSPF, and not through the EIGRP to EIGRP.
Both R2 and R3# sh ip ro os === WILL SHOW THE SAME OSPF route to the OSPF domain.
Gateway of last resort is 172.17.32.1 to network 0.0.0.0
192.168.60.0/32 is subnetted, 1 subnets
O 192.168.60.1 [110/3] via 172.17.34.1, 2d01h, FastEthernet1/0
R2#
Redistribute EIGRP and OSPF / Route Tagging
I talked about route tagging, but it works only for internal routes redistributing from EIGRP to OSPF.A problem comes up when you're redistributing from EIGRP to OSPF with external routes, ie. external EIGRP.
This is when you use the redistribute command in EIGRP, which gives AD of 170. To solve this, you'll need to add:
distance ospf external 171
in the router ospf 1 process. Do a "show ip route ospf" in the core router that does the EIGRP/OSPF redistribution to see the difference.
To simulate:
Router 4 / router 6 / other normal router:
router eigrp 2
network 172.17.39.0 0.0.0.3
redistribute connected
redistribute static === The redistribute command will have the AD of 170 (external EIGRP). Internal EIGRP is 90 with the "network" command.
Router 2: == This is the router that does the EIGRP/OSPF redistribution and connected to the JUNIPER.
router eigrp 2
network 172.17.0.0
redistribute ospf 1 metric 100000 1 255 1 1500 route-map OSPF-TO-EIGRP
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
redistribute eigrp 2 subnets route-map EIGRP-TO-OSPF
network 172.17.34.0 0.0.0.3 area 0
default-information originate
distance ospf external 171 === Need this on the router that does the EIGRP/OSPF redistribution. Else traffic FROM EIGRP domain GOING TO another EIGRP domain that did the REDISTRIBUTE STATIC, etc. will take the path of OSPF, and not through the EIGRP to EIGRP.
Router 3: == The core router that does the EIGRP/OSPF redistribution and connected to the JUNIPER.
router eigrp 2
network 172.17.0.0
redistribute ospf 1 metric 100000 1 255 1 1500 route-map OSPF-TO-EIGRP
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
redistribute eigrp 2 subnets route-map EIGRP-TO-OSPF
network 172.17.35.0 0.0.0.3 area 0
default-information originate
distance ospf external 171 === Need this on the router that does the EIGRP/OSPF redistribution. Else traffic FROM EIGRP domain GOING TO another EIGRP domain that did the REDISTRIBUTE STATIC, etc. will take the path of OSPF, and not through the EIGRP to EIGRP.
Both R2 and R3# sh ip ro os === WILL SHOW THE SAME OSPF route to the OSPF domain.
Gateway of last resort is 172.17.32.1 to network 0.0.0.0
192.168.60.0/32 is subnetted, 1 subnets
O 192.168.60.1 [110/3] via 172.17.34.1, 2d01h, FastEthernet1/0
R2#
Subscribe to:
Posts (Atom)