Thursday, 8 August 2019

Setting up bonding with LACP using the ip command in Linux

This can be accomplished quite quickly with the IP command if you only need it temporarily:

ip link add bond0 type bond
ip link set bond0 down
ip link set bond0 type bond mode 802.3ad
ip link set enp1s0 down
ip link set enp1s0 master bond0
ip link set enp2s0 down
ip link set enp2s0 master bond0
ip link set bond0 up

and to remove the bonding we can issue:

ip link del bond0
ip link set enp1s0 up
ip link set enp2s0 up

Quickstart: Installing Arch Linux 2019.X

Firstly download the latest iso image from one of the mirrors below:

https://www.archlinux.org/download
wget https://www.mirrorservice.org/sites/ftp.archlinux.org/iso/2019.08.01/archlinux-xxxx.xx.xx-x86_64.iso
and then write it to your preferred media:
dd bs=8M if=archlinux-xxxx.xx.xx-x86_64.iso of=/dev/sdX | sync
Upon booting the image select the default selection to boot Arch.

This will get you into the system under the root user.

The setup portion is a Gentoo style approach of efffectively 'assembling' the system yourself.

From here we'll firstly partition the disks:
lsblk
NAME            MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
sdX               8:0    0 1000G  0 disk 

In this example we'll create three partitions - one for the root fs, another for our home fs and finally one for swap.
parted -a optimal /dev/sdXhyu
mktable gpt
mkpart ESP boot fat32 0% 500MB
mkpart root ext4 500MB 250000MB
mkpart home ext4 250GB 750GB
mkpart swap ext4 750GB 800GB
set 1 boot on
Create the filesystems with:
mkfs.msdos /dev/sdX1
mkfs.ext4 /dev/sdX2
mkfs.ext4 /dev/sdX3
mkfs.ext4 /dev/sdX4
mkswap /dev/sdX4
swapon /dev/sdX4
Proceed by mounting the file systems:
mount -t auto /dev/sdX2 /mnt
mkdir -P /mnt/boot/EFI && mount -t auto /dev/SdX1 /mnt/boot/EFI
mkdir /mnt/home && mount -t auto /dev/SdX3 /mnt/home
We'll need the network setup at this point so we can access the arch repo's:
dhclient
and then pull down all the nessasery compontents for the root fs:
pacstrap /mnt base base-devel
Once complete we'll need to generate the fstab for the new system:
genfstab -U /mnt >> /mnt/etc/fstab
and then change our root password by chrooting into the new system along with the hostname:
arch-chroot /mnt
hostname arch-box
passwd
We'll also configure regional and time settings with:
ln -sf /usr/share/zoneinfo/<region>/<city> /etc/localtime
hwclock --systohc
locale-gen
printf "LANG=en_GB.UTF-8" > /etc/locale.conf
export LANG=en_GB.UTF-8
I'm going to use KDE Plasma for the desktop environment:
pacman -S xorg xorg-server xorg-xinit plasma-meta sddm
Finally we will configure grub:
pacman -S grub efibootmgr dosfstools os-prober mtools
grub-install --target=x86_64-efi --efi-directory=/boot/EFI --bootloader-id=grub_uefi --recheck
grub-mkconfig -o /boot/grub/grub.cfg
Exit the jail:
exit
and restart:
shutdown -r now
Once booted into the new OS we'll setup the network configuration - for this example I'll be setting up DHCP.

With Arch we have a few options for network configuration - either netctl or networkd (a newer component.)
vi /etc/netctl/enp2s0
Description=LAN interface
Interface=enp2s0
Connection=ethernet
IP=dhcp
Ensure the interface will come up on boot by issuing:
netctl enable enp2s0
Enable and start the DHCP service with:
systemctl enable dhcpcd
systemctl start dhcpcd
and then attempt to start the interface with:
netctl start enp2s0

Friday, 12 July 2019

Using Juniper SRX devices as routers

The SRX series are part of Junipers security line of products and provide firewall among a host of other security features such as IDS and IPS.

However you can effectively use the SRX range as a traditional router by changing the forwarding mode from flow based (stateful inspected) to packet based (stateless per packet inspection.)

You can verify the forwarding mode by issuing:

show security flow status

We should firstly ensure we remove any existing security configuration from the device with:

delete security

and then ensure the forwarding mode is set to 'packet based':

set security forwarding-options family mpls mode packet-based

commit it and then reboot:

commit
run request system reboot

Upon restart check the forwarding mode again with:

show security flow status

Thursday, 4 July 2019

Configuring an Etherchannel (with LACP) between JunOS and Cisco IOS

Juniper JunOS

Firstly create the aggregated interface:

edit chassis
set aggregated-devices ethernet device-count 2

top
edit interfaces
set ae0 aggregated-ether-options

and define the LACP interval period (i.e. the rate at which the device will send / receive LACP protocol messages):

set aex aggregated-ether-options lacp periodic fast

By default the 'lacp periodic fast' sets the transmission rate to 1 second.

Note: It's important that the rate is matched on the other end as well.

We'll now associate our interfaces with the aggregated link we've just configured:

edit interfaces
edit ge-0/0/1
set ether-options 802.3ad ae0
exit
edit ge-0/0/2
set ether-options 802.3ad ae0

Cisco IOS

conf t
int range gi1/0/1-2
channel-protocol lacp
channel-group 1 mode active
lacp rate fast
no shut

int po1
description etherchannel

Tuesday, 2 July 2019

Base Junos Configuration

The following template will get the fundamental features setup in Junos and act as a base for building more advanced configurations:

# Enter configuration mode
cli
configure exclusive

# Configure root user key / password
set system root-authentication load-key-file
[OR]
set system root-authentication plain-text-password

# Enable remote management
edit system services
active ssh
ativate web-management https
set web-management https port 443
set web-management https system-generated-certificate
set web-management https interface fxp0.0

# Disable insecure services
deactivate telnet
decativate web-management http

# Setup hostname
top
set system host-name "host01"

# Setup time / date / ntp
set system time-zone Europe/London
exit
set date ntp 1.uk.pool.ntp.org
set cli idle-timeout 10

# Setup new user and assign login class
edit
edit system login
edit user jbloggs
set authentication plain-text-password
set full-name "Joe Bloggs"
set class operator | read-only | super-user

# Create custom login class
set system login class test-class permissions [interface interface-control]
set system login class test-class idle-timeout 10
[OR]
# Configure RADIUS
set system radius-server 10.11.12.254 source-address 10.11.12.1
edit system radius-server 10.11.12.254
set secret <pass-phrase>
set port 1845
# Ensure radius requests originate from the mgmt interface
routing-instance mgmt_junos
exit
set system authentication-order [radius password]
# Assign a default class for remote users
set system login user remote class super-user

### Setup Layer 3 Interface
# Change physical properties
edit interfaces ge-0/0/1
set speed 10m
set link-mode full-duplex

### Create VLAN
set vlans testvlan vlan-id 123
set vlans testvlan2 vlan-id 456

# Change logical properties
edit interfaces ge-0/0/1 unit 0
set vlan-id 50
edit family inet
set address 1.2.3.254/24

### Setup Access Port
# Change logical properties
edit interfaces ge-0/0/2 unit 0
set family ethernet-switching interface-mode access
set family ethernet-switching vlan members 123

### Setup Trunk Port
edit interfaces ge-0/0/3 unit 0
set family ethernet-switching port-mode trunk vlan members [testvlan testvlan2]

### Syslog Forwarding
* This is performed via the local syslog server rather than the Juniper CLI (messages found in /var/log/messages)
* To edit the configuration from the CLI use 'edit system syslog'.

### Commit changes
commit

Wednesday, 29 May 2019

Configuring Auto QoS on Cisco Switches

Auto QoS is a great feature included with the majority of switches running at least the LAN Base feature set. It will likely require some further tweaking after it's setup however it's a great base for applying QoS.

Cisco provides support for it's own telephony devices (surprise, surprise!) through CDP broadcasts. However in my case I am working with a different vendor and since not all switches will provide classification of packets I'm relying on the tagging being performed by the downstream devices.

It's very simple to setup - simply apply the following to the switch ports in scope (i.e. the ones connected to the telephony devices):

conf t
int range gi1/0/1-10
auto qos trust dscp
end

This will instruct the switch ports in scope to trust DSCP markings applied by the downstream devices (as I'm sure you're aware by default DSCP marking are typically stripped.)

The 'auto qos trust dscp' also enables qos globally for us and also applies a few other directives on the interface - so in reality a lot of the setup is performed for you - however in reality it's still crucial that you understand what each directives means!

do show run int gi1/0/1

interface GigabitEthernet1/0/1
 switchport access vlan 2000
 switchport mode access
 speed auto
 srr-queue bandwidth share 1 30 35 5
 priority-queue out
 mls qos trust dscp
 auto qos trust dscp
 spanning-tree portfast
 spanning-tree bpduguard enable

To verify QoS is turned on globally we can review:

show mls qos

and to review interface specific QoS information:

show mls qos interface gi1/0/1

We can also test QoS is successfully prioritising packets with iperf (tagging the traffic with a non zero DSCP value) e.g.:

iperf -c 10.11.12.13 -i 1 -S 0xB8 -t 0

'0xB8' is the hexadecimal equivalent of TOS's 184 - which equates to DSCP's 'ef' / 46. According to the man page (at least in mine) the value must be in hexadecimal TOS form. There is an list of all of them available here.

We can then review the QoS counters for the interface with:

show mls qos interface gi1/0/1 stat

Thursday, 23 May 2019

Cross compile packages for OpenWRT / LEDE

For this tutorial I'll be using Fedora 29 for the build host.

We'll install the necessary dependencies firstly:

sudo dnf install asciidoc binutils bzip2 flex git gawk intltool zlib gmake ncurses openssl-devel patchutils p5-extutils-makemaker unzip wget gettext libxslt zlib-devel boost-jam perl-XML-Parser libusb-devel dev86 sharutils java-1.7.0-openjdk-devel b43-fwcutter zip

The next step is to obtain the OpenWRT SDK which will allows us to cross-compile packages that we require on OpenWRT.

I'll be using a BT Home Hub 5A for this exercise - so I browse the releases:

https://downloads.openwrt.org/releases/17.01.4/targets/lantiq/xrx200/

Under the supplementary section you should find the SDK e.g.

lede-sdk-<version-number>-<vendor>-<model>_gcc-<version number>_musl-<version number>.Linux-<architecure>.tar.xz

We'll proceed by downloading and extracting it:

wget https://downloads.openwrt.org/releases/17.01.4/targets/lantiq/xrx200/lede-sdk-17.01.4-lantiq-xrx200_gcc-5.4.0_musl-1.1.16.Linux-x86_64.tar.xz

tar xvf lede-sdk-17.01.4-lantiq-xrx200_gcc-5.4.0_musl-1.1.16.Linux-x86_64.tar.xz && cd lede-sdk-17.01.4-lantiq-xrx200_gcc-5.4.0_musl-1.1.16.Linux-x86_64

The default feeds will be targeted at 17.01.4 and hence be missing fping - however the current master branch has fping available - so we'll add the following line to feeds.conf.default ensure it's indexed / available:

src-git fping https://github.com/openwrt/packages.git

Update the feeds (as defined in feeds.conf.default):

./scripts/feeds update -a

and grab fping with:

./scripts/feeds install fping

We'll generate our config file:

make menuconfig

Select 'Network' and ensure the fping package is marked with an 'M' and then save the changes to '.config'

Also make sure that cryptographic signing is disabled (otherwise the build process will fail): 'Global build settings' > Untick 'Cryptographically sign package lists' and hit Save.

We'll now attempt to compile fping:

make -j1 V=s

The binary is created in the following directory:

bin/packages/mips_24kc/fping/

Finally upload the package via SFTP/SCP to the router and install it with opkg:

opkg install fping_4.2-1_mips_24kc.ipk