Something that is seemingly difficult to find clearly described in plain english for JunOS, is 801.ad L3 Service Provider tunnel termination.
Ie; QinQ tunnels to/from sites using the 0x88a8 ethertype, wherein you terminate to an L3 interface on the innermost vlan.
Unsurprsingly (perhaps), the config is largely similar between Cisco IOS and Juniper JunOS.
That said, both configs still feel somewhat bulky, but I think that's really just the nature of the beast.
Some config I've labbed, and also test against some non-production services on the MX platform follows;
interfaces { xe-0/1/0 { description "QinQ bundle from provider"; flexible-vlan-tagging; gigether-options { ethernet-switch-profile { tag-protocol-id 0x88a8; } } unit 1001 { description "CCI/NNI Tail 1001 to site Foocity"; encapsulation vlan-bridge; vlan-tags outer 0x88a8.1001 inner 10; } } irb { unit 1001 { description "CCI/NNI Tail 1001 to site Foocity"; family inet { address 10.0.0.1/29; } } } } bridge-domains { vlan1001 { description "Foocity"; domain-type bridge; vlan-id none; interface xe-0/1/0.1001; routing-interface irb.1001; } }
For comparison sake, and the non JunOS savvy, The Cisco 7600 (and mostly, ASR equivalent) is pretty similar. Just replace the sub-interface with the service instance stanza.
interface TenGigabitEthernet1/11 description QinQ bundle from provider no ip address dot1q tunneling ethertype 0x88A8 no keepalive service instance 1001 ethernet description CCI/NNI Tail 1001 to site Foocity encapsulation dot1q 1001 second-dot1q 10 rewrite ingress tag pop 2 symmetric bridge-domain 1001 ! interface Vlan1001 description CCI/NNI Tail 1001 to site Foocity ip address 10.0.0.1 255.255.255.248 ! vlan 1001 name Foocity ! end
Something I've always had trouble with, is wrapping my head around class-of-service on Juniper devices.
It's never helped that almost all the EX examples are overly complicated, and or assume you are running some manner of L3 interface on the device.
In our environments, almost every single one our EX switches are exactly that - just switches. So we typically need to classify on ingress and set dscp or 802.1p values based on what's connected to what port.
Something in my head clicked today and I realized that it's so simple... I just have to remember:
Classify on -INGRESS-, mark on -EGRESS-
Classification assigns traffic to a forwarding class, and mark on egress based on which forwarding class you just put traffic into.
So incredibly simplified, mark everything entering ge-0/0/1 with 802.1p priority 5 as it exits ge-0/0/0:
ex2200# show class-of-service interfaces { /* Mark everything on egress appropriately per the custom re-write rule */ ge-0/0/0 { unit 0 { rewrite-rules { ieee-802.1 EF-TO-PCP-5; } } } /* Classify everything on ingress as EF, and put it into the EF switch queue(s) */ ge-0/0/1 { unit 0 { forwarding-class expedited-forwarding; } } } rewrite-rules { /* Mark packets in the EF queues as priority 5 */ ieee-802.1 EF-TO-PCP-5 { forwarding-class expedited-forwarding { loss-priority low code-point 101; loss-priority high code-point 101; } } }
Random sidetracked moment of the day;
Punching at random words from Android autocomplete entries and reading the resulting phrases.
Actual examples:
Can ping it is not the intended recipient of this tag has a lot of planning and the mayonnaise jar Svideo tuner
Know when to expect from the lab and a gateway of Once again for all your favorite music is my first post a link on my phone number for you guys sell it
How'd the office and the other hand that's probably why you should know about the future of this message has been in business
Going to try and start posting semi-regularly again (for really reals this time).
As proof, here's a thing:
Something sort-of interesting came up at work today.
I had to create a one-stop Excel function to convert DMS Lat/Long to their Decimal equivalents.
Ala:
52° 58' 44.889" N
Into
52.979136
And
122° 33' 37.929" W
Into
-122.560536
Almost all the examples I could find relied on one, or a combination of;
Pre-formatting the data using text-to-columns
Used hard-coded numbering, or modifying the original values into some other format.
Or VBS script(s) to do it
My restrictions were;
I can't modify the original data
I "must" reference the original data (can't copy/paste, modify, then use)
It must be easy to spot problems with the reference data
Microsoft has a script, but it only worked for about 15 minutes, and then broke. And $DAYJOB restrictions meant I couldn't make the VBS portable with the end result anyway.
Suffice to say, neither option suited my case, and it seemed a problem that should be solvable with a single function.
What I learned: Excel can do stupidly interesing stuff, but holy crap - if they would just integrate regex support directly into excel (read: Not as a VBS plugin) for normal human beings, my life would have been much easier.
To break it down;
If the A10 cell starts with a '-', or ends with a 'S'outh, add a negative to the decimal output.
Parse number for Degrees
Parse number for Minutes, convert
Parse number for Seconds, convert
Function for Longitude is much the same. If check just converts 'W'est to negative instead.
Pro's:
Don't need VBS, or to split the lat/long into separate cells
Spacing between values doesn't matter (empty space is easy to deal with, if excel doesn't automatically).
Con's:
It is fragile. Breaks when someone uses the wrong delimiter for degrees, minutes seconds (°, ', "), but those are easy to find and fix - someone that fails at their data entry is not my problem in this case.
Though the fragility is my 'detect problem' case. #VALUE! cells are easily parsed out of the output, for which I can take it up with the data provider in the first place.
No numerical errors so far across 132 pairs of DMS lat/long values. Hooray.
Coming up next, probably a rant about TCP Bandwidth Delay Product.
Quick rant and post, more details on life after the break.
I'm extremely impressed with Junipers SRX300. Price, performance, features, are amazing.
Ordered up one of said SRX300's for my home lab, to replace my EOL'd SRX100B.
I can hear the Mikrotik and Ubiquity fans jumping up and down, but no... just no. Given the choice, I'd install OpenBSD on an APU2, before trusting Ubiquity or Mikrotik to do anything more than bridge frames, which they do poorly at that. Even then...
Related, mental note for RANCID command restriction within TACACS for Juniper/JunOS devices.
RANCID needs these, or it breaks expect:
'set cli complete-on-space off'
'set cli screen-length 0'
Set CLI commands are pretty tame, so you could safely get away with;
Let's see, other stuff... other stuff...
I put pi-hole on a beaglebone black to try it out. I learned many, many things. The experience was painful, and wasted many, many, many hours of my time. However, given how out of touch with Linux I am these days, I could attribute it to a lack of practice and knowledge surrounding how ruined the Linux landscape has truly become.
Honestly, my last foray was with Gentoo, before the portage tree was opened up to volunteers that immediately broke everything, which forced me to slackware.
I'll admit it, I was a Gentoo-ite, obsessed with kernel size. 714k of kernel, man! And another 6% FPS increase in glxgears! WOO! Pretty sure I got it much smaller once, but honestly now, who cares...
As for the things I learned, the highlights:
You can't just use ifconfig out of the box any more
no tcpdump in the 1.8gig base install. This is just plain unforgivable
The concept of editing resolv.conf, and expecting it to work is apparently dead
Side note so I remember: have to piss around with 'resolvconf' and resolv.conf.tail
Additional side note: Forget about resolv.conf entirely if you updated Debian to jessie, which apparently excludes the resolvconf binary. Download the rpm on another box with working DNS to proceed
There is no fstat, so use 'pstat -apn' to figure out what PID's are squatting on what sockets
Oh god systemd, why?!
completely ignore init.d. Look at systemctl, and then proceed to spit tea at monitor, and then remove hair with clenched fists.
I can't help thinking I could have just setup unbound in the first place, since I don't really care about the Pi-hole GUI.
Next steps, repeat the experiment with OpenBSD and unbound.
Been busy re-wiring the new house. Mostly done. Furnace tried to burn the house down when the blower motor blew and the breaker failed. Pictures to come in the spring I guess.
I've run into this a few times on some of our production OpenBSD boxes now, and I'm always spending too much time remembering how to fix it:
arpresolve: 10.10.10.1: route without link local address
Usually caused because:
The address in the log message was probably deleted and re-added, or moved to a different interface.
To fix:
Find, delete, and re-add all the static routes pointing at the host it's complaining about as you probably have some statics on the box for re-distribution or other dumb tricks
It seems bug-ish to me, since for all intensive purposes nothing's actually broken. It just spams your syslog a few hundred times a second (or more if your box is really busy).
Filed under the to-investigate-further-someday pile.
Quick post today.
Will probably have something to say about my new house, and the options I'm looking at for a NAS / AppleTV streaming appliance eventually.
Have some pictures of my trip to the Kootenay's to post too at some point or something.
So, I keep forgetting how to do this:
How to move bridge-group 1 around on v15 Cisco Aironet's, as they are a pain in the rear. You used to be able to just replace bridge-group 1 with another, but now you get:
Interface already configured within Bridge Group 1.
So that's super helpful. The good news is it can still be moved to somewhere mostly useful. However - the destination interface must be configured with dot1q native. That, of-course, blows big wind. Thanks Cisco!
But hey - at least it's something, and can let the rest of your configs make sense.
To summarize the steps;
Add Interface.foo subinterface
Configure for dot1q encapsulation foo native
Move bridge-group 1 to the new interface.foo subineterface
Success!
And here it is in action, with gratuitous failure attempts for context.
ap>enable ap#sh int desc Interface Status Protocol Description BV1 down down Do0 admin down down Do1 admin down down Gi0 up up ap#sh bridge verbose
Total of 300 station blocks, 299 free Codes: P - permanent, S - self
Flood ports (BG 1) RX count TX count Dot11Radio0 0 0 Dot11Radio1 0 0 GigabitEthernet0 95 0 ap#conf t Enter configuration commands, one per line. End with CNTL/Z. ap(config)#int gi0.4 ap(config-subif)#encapsulation dot1Q 4 ap(config-subif)#bridge-group 1
Configuration of subinterfaces and main interface within the same bridge group is not permitted ap(config-subif)#int gi0 ap(config-if)#no bridge-group 1 %command not allowed, cannot remove bridge-group 1 ap(config-if)#bridge-group 4
Interface already configured within Bridge Group 1.
ap(config-if)#int g0.4 ap(config-subif)#encapsulation dot1Q 4 nativ ap(config-subif)#bridge-group 1 ap(config-subif)#^C ap#sh run int g0.4 Building configuration...
Current configuration : 151 bytes ! interface GigabitEthernet0.4 encapsulation dot1Q 4 native bridge-group 1 bridge-group 1 spanning-disabled no bridge-group 1 source-learning end
ap#sh run int g0 Building configuration...
Current configuration : 59 bytes ! interface GigabitEthernet0 duplex auto speed auto end
ap#sh bridge verbose
Total of 300 station blocks, 299 free Codes: P - permanent, S - self
So, fluctuator has been shut-down. The 510 chassis soon to be re-purposed for greater things.
In doing so, I've merged and updated a pile of my VM's. Down to 4 from 7, which is a good start.
To that end, this is more of a token post to test that stuff is still working from all the migrations last night.
So... here's some random junk:
Me: oh god. I win moron of the week award.
Co-worker: You are the greetest!
(Inane chatter about my oversight)
Co-worker: I'm also not smarting today. Going to coffee my brain
Me: Huh...
TOKENHOSTNAME-S01#sh env all
FAN is OK
Internal POWER supply is FAULTY
RPS is NOT present
Me: I may be having an off day, but that seems slightly strange.
Co-worker: Hmm, should be proactive and HAHAHAHA
Also, this looks incredibly interesting. I've had a song on my iPod by them for ages, but never realized they're basically a carnival stage-acting band type delay.
Wicked cool.
And now for something plausibly interesting… maybe.
Finally updated my random image thing which was long, long, long overdue. Pulls images out of an SQL index instead of cramming an array full of filenames and paths after scanning the disk. Every. Single. Time. The. Page. Was. Accessed.
It's improved load times significantly. Also put in the ubiquitous image access function while I was at it, so I can stop hard-linking to files in my random folder which break if I move things around.
Now I just need to find a way to safely import custom functions into Drupal, and I'll be set.
Moar random phpipam jargin. Stuff I had to do to make the ping scan, and alive host detection in phpipam work on OpenBSD after the 1.0 release:
functions/functions-common.php assumes your php executable will be 'php'. OpenBSD's 5.3 package binary is php-5.3. Yeah, I know - I need to update from 5.3. So sue me.
Quickest fix which will break next time I update base and the package tree
sudo ln -s /path/to/php-5.3 /same/path/php
Also, the ping binary included in base need the timeout switch and number to be tweaked.
Patch for OpenBSD base's 'ping' binary:
So. I have yet another new toy. Granted, this is my first real toy toy.
I didn't even really want it, like want want it.
Nor was I looking for it.
Was humouring the sales guy at the car dealer, who was busy trying to sell me on a Tuscon, Santa Fe, or Genesis. The aforementioned three are pretty weak compared to the Volvo.
"So, I'll try the next trim-level Genesis, maybe it'll be better than the base." I says.
"Let me take a look around the used lot, while you check if there's one free to drive." I says.
"Huh... a Lancer. Nice. Wait… that's an Evolution. Wonder which salesman owns that. …No plates? Uh… Hey! What's up with this Evo?"
There you go. That's the story of how the downpayment for anther house became a toy, and enough debt to keep me from just up and stopping from going to work suddenly. At least for a little while.
It's been a while since I've driven a standard. This one came with a racing clutch among other things, which I proceeded to stall about 5 times on the test-drive.
Since acquiring it 5+ weeks after making payment, the number of stalls has increased to a total of 21 over the span of two days, though the rate at which they occur has decreased exponentially.
Just in time for fall and winter. Smart.
Replaced an old Soekris at work couple weeks back. Poor old thing had 1388 days of uptime.
Alas, the replacement was necessary to turn a previously abandoned transmission site isolated on a 3rd party's network, into a customer-ready site, jerry-rigged into our AS.
Took a wee bit of fiddling, but found the right knobs to tweak to replicate some of the tricks we use on our cisco boxes to make management happen in stupid places without the hardware or budget to do it properly.
Probably easier to just use BGP for the whole deal, but our OSPF RIB is already polluted with so much garbage from all the bad ideas that were pushed into production over the years anyway. As such, it's becoming the dumping ground for bad (albeit, fun) ideas like this one.
Relevant config here for future self-reference - obviously, severely obfuscated from the production environment.
The keen observer will notice that there's no IPSEC here. Because of company policy to drive end-of-life equipment into the ground, we lack sufficient resources for shaping or ACL's, let alone crypto at our aggregators. My gif(4) and IPSEC experiments will have to wait until I have sufficient boxes, and enthusiasm to pursue this of my own accord.
The diagram:
On the Cisco:
! interface Loopback254 description Public tunnel termination interface ip address 172.20.254.254 255.255.255.255 ! interface Loopback101099 description 1010 Fake St, Nutley. Z-end network ip address 10.10.99.1 255.255.255.255 ! interface Tunnel101099 description 1010 Fake St, Nutley. Management tunnel ip unnumbered Loopback101099 ip mtu 1476 ip ospf 1 area 10.10.99.0 tunnel source Loopback0 tunnel destination 192.168.99.223 ! router ospf 1 router-id 172.20.254.254 area 10.10.99.0 stub no-summary ! end
On the Soekris:
bsd~ grep inet /etc/hostname.vlan99 inet 10.10.99.0 255.255.255.0 NONE up
bsd~ cat /etc/hostname.gre0 192.168.99.223 172.20.254.254 netmask 255.255.255.255 link0 tunnel 192.168.99.223 172.20.254.254 inet alias 10.10.99.2 255.255.255.255 up # Alias and static route to R01. Without these, ospfd sends hello's directly out the # upstream interface un-encapsulated, instead of over the tunnel !route add -host 10.10.99.1 -iface 10.10.99.2
bsd~ sudo cat /etc/ospfd.conf router-id 10.10.99.254 area 10.10.99.0 { stub
Less the underlying config for a happy BSD and Cisco box (Routing tables, outbound interfaces, etc…), you should wind up with something along these lines;
bsd~ ospfctl show neighbor ID Pri State DeadTime Address Iface Uptime 172.20.254.254 1 FULL/P2P 00:00:34 10.200.6.1 gre0 31m
On paper, this looks goofy as all hell, but is a fun way to exploit the longest prefix wins rule. Plus, our IGP tables are already polluted with far, far worse garbage that won't be going away any time soon. The real world has a habit of destroying all hope one had of running an efficient, clean, easy to manage network.
One caveat is access to/from our NMS. Since the amount of impact and network noise from this cruft is limited by the stub, a static route was necessary (Augh!).
Also, now that I think about it, the 'ip unnumbered loopback' in the example is a left-over from plastering this over top of multiple tunnels to the same site. Here, it's un-necessary.
That said, learn from my tomfoolery. Just because you can, don't… just don't. Do not do this to your network.
Moving right along.
I'm loving this album. Having watched the music videos, I recollect having watched them late last year as they were being released. I don't recall enjoying the songs nearly as much then as I do now.
Weird.
Seems I broke my search indexer yonks ago. It's been fixed, so yay.
Dusted off one of the random project ideas I mentioned some time back, and actually got around doing something useful beyond the initial proof-of-concept.
Successes so far:
Registered my iPad, and Galaxy S4 as SIP stations
Inbound call forwarding from the PSTN to all active SIP clients
Outbound calling from SIP clients to the PSTN
Problems to solve next:
Stop my iPad's IPSEC VPN from disconnecting every time it's idle for more than 2 minutes
By far and away, the biggest headache was daisy-chaining my 2811's voice-port off an analogue port on the office's phone system. However, having succeeded, I'm able to intercom co-workers from wherever I have wifi connectivity which is worth the price of admission right there.
The good folks at Juniper are doing a good job of keeping me happy. I received the EX2200-C-12T-2G for my collection of lab hardware today. Now I'm half inclined to ditch the 1811 in front of *.sarlok.com, and shunt everything to my SRX100 to force familiarity levels beyond the casual mark. However, now that most of my voice proof-of-concept is out of the way, the 2811 could probably replace it too…
Also, damn you iTunes. Damn you to hell… why don't you have this song?
Gah. Unenthused sarlok is unenthused. Warning: This post may have no meaning beyond providing a brief interlude to my current lapse of boredom.
I fixed a frick-load of broken URL's spread across my blog posts of old, most of which I broke myself after re-jigging the random images folder. Wound up splitting the one monster folder into several subs to cut back on disk chatter.
Hindsight, having fixed the broken links, I'm now re-thinking my choice of hard-coding paths and images, and have some idea for a permalink that should be sane enough to keep up with auto-filing image folders… maybe by the time my next post is done.
My new toy.
Spontaneous purchase was spontaneous. My old bow was already fast at ~320fps.
Splurged on some nice light 250 grain arrows to go with the new bow though.
My new other toy.
My initial observations were how amazingly well built the thing is. I thought Dell and IBM's servers were well made, but after cracking the T2000 open… It's very, very nice.
Master plan is to move *.sarlok.com to the T2000, and re-purpose fluctuator as a storage backend on account of the 8 drive-bays.
That aside, this made me chuckle seeing it for the first time post-install.
I especially love how base has fewer processes than there are cores… well, threads I guess - but still.
Let's see… what else has been randomly interesting of late…
I blew half-an-hour chasing down some random problems with our internal mediawiki at work. I was surprised, and amused by the cause of a phantom reset packet. Probably would have caught on sooner if I decided to tcpdump right off the bat and saw said reset, but oh-well.
Turns out, copy-pasta of a unidiff one-liner for an unprivileged user from master.passwd into the wiki page body for documentation didn't get past the ASA IPS module sitting at the edge of a number of our servers.
Well, this has been well overdue, and yet, it still turned into a discordant mess of random junk.
I did something constructive! I draw your attention to the tag cloud widget to the right. Haven't touched that java thing in ages though.
Vacation was relatively uneventful. Flew to Calgary and met up with Theo, and took the opportunity to get some tech into his hands. I'm not sure if I should be happy, or annoyed that I enjoyed the two outings with him significantly more than that of my entire week in Ireland. I feel far less intelligent myself now having met the fellow, though was quite humbling - and enjoyable - to see some Beaker impressions bust loose while talking about FreeBSD in the pub.
Was entirely too nervous to ask for a photo… ahwell, maybe next time.
Okay, on with the completely random noise. Things I found myself exclaiming while playing Don't Starve.
"Nooo! My bees!"
"Help! Wake up and help me you stupid pigs!"
"Get away from my berry bushes you damn gobbler!"
"AHH! What the frick is that? Going insane sucks!"
"WUAH! *trackball goes flying*"
Nothing else in particular to say, so... here's a word I'm desperately trying to be able to say without pausing to think.
Человеконенавистничества!
And, something completely random and stupid:
co-worker: Your ARP thing might be related to S01 fa0/46 showing amber, connected to L01 fa0/1/8
me: I'm watching a tcpdump, waiting for 16:30 to roll around to see if that tells me anything more useful.
me: Not the winrar, but still equally amusing:
16:13:26.391799 00:11:22:33:44:55 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 10.10.10.2 (ff:ff:ff:ff:ff:ff) tell 10.10.10.2
16:13:26.602404 00:11:22:33:44:55 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 10.10.10.2 (ff:ff:ff:ff:ff:ff) tell 10.10.10.2
co-worker: PM3 is old and dumb
me: Heheh. Almost as good as the Axxceleras. They generate a completely whacked out source-MAC address when they ARP for themselves.
me: And by dumb, I'm sure you mean enterprise-y
