Juniper Networking Technologies Day One: DEploying Zero Touch Provisioning Enable Juniper EX Series Switches to automatically download their Junos OS image and then configure and discover themselves in your network management platform Invigorating Do it today By Scott Reisinger DAY ONE: Deploying Zero Touch Provisioning Zero Touch Provisioning (ZTP) involves a lot of UNIX configuration and very little EX Switch configuration – that’s the whole point – ZTP is extremely useful in deploying new Juniper Network equipment and has a lot of applications, whether they are in your data center or in an emergency network setup (from a hurricane to the next Rolling Stones concert) This Day One book is for the lab It shows you exactly how to set up and configure the Linux Dynamic Host Connect Protocol (DHCP) Server and how to get it to work with HTTP and TFTP to allow a new Juniper EX Series Switch or vSRX to automatically download its configuration and discover itself in your lab network More experienced engineers can blast through this lab setup in a few hours, while the less experienced may take an entire Day One – it’s all doable and it’s all here, no matter your skill set or network size “If you’re planning to deploy a large network and are thinking about automating your network deployment, I highly recommend this Day One book Not only will you find Zero Touch Provisioning (ZTP) concepts explained, but real-world BOOTP, HTTP, and Junos configuration examples, as well In short, this book provides the necessary knowledge to complete a ZTP deployment in a matter of hours with step-by-step instructions and examples of how to build everything from a working DHCP/HTTP server to monitoring the process using the CLI.” Chris Weber, PMP, VP Network Solutions, Four Points Communications IT’S DAY ONE AND YOU HAVE A JOB TO DO, SO LEARN HOW TO: n Know the difference between provisioning and Zero Touch Provisioning (ZTP) n Understand how the EX Series Switches and SRX Series devices utilize BOOTP/DHCP n Design a network management system that supports DHCP n Create a DHCP server, HTTP server, and TFTP Server for ZTP n Use CURL, TFTP, and other access methods such as SCP and SSH n Prepare enterprise networks for deployment n Automate the upgrade and configuration of devices Juniper Networks Books are singularly focused on network productivity and efficiency Peruse the complete library at www.juniper.net/books Published by Juniper Networks Books ISBN 978-1941441299 781941 441299 51600 Juniper Network Technologies Day One: Deploying Zero Touch Provisioning By Scott Reisinger Preface vii Chapter 1: Building the DHCP Server 13 Chapter 2: Configuring the DHCP Server 29 Chapter 3: Configuring the HTTP and DHCP Daemons 37 Chapter 4: Testing Zero Touch Provisioning 47 Appendices 54 iv © 2015 by Juniper Networks, Inc All rights reserved Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc in the United States and other countries The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners Juniper Networks assumes no responsibility for any inaccuracies in this document Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice Published by Juniper Networks Books Authors: Scott Reisinger Technical Reviewers: Joseph “JT” Wilson, Ankit Chadha, Mitch Shatto, Vaughn Willy Editor in Chief: Patrick Ames Copyeditor and Proofer: Nancy Koerbel Illustrator: Karen Joice J-Net Community Manager: Julie Wider ISBN: 978-1-941441-29-9 (print) Printed in the USA by Vervante Corporation ISBN: 978-1-941441-30-5 (ebook) Version History: v1, December 2015 10 About the Author: Scott Reisinger is a Systems Engineer at Juniper Networks He has over 12 years of experience working with devices running the Junos OS and has spent the last five years with Juniper Networks Scott is also a 15-year veteran of the USAF, and one of the last Water Walkers Author’s Acknowledgments The author would like to thank all those who helped in the creation of this book Patrick Ames worked with me on all of the editing process and without his assistance this book would not exist JT Wilson is the go-to SE for the Federal DoD space I routinely utilize JT as a technical sounding board to make sure there are no issues with designs on enterprise networks Ankit Chadha is an amazing young engineer with vision He is a JNCIE with Professional Services and has his own book in the Day One library: This Week: QFabric System Traffic Flows and Troubleshooting Ankit is one of the hardest working and brightest engineers I have met in my entire career Mitch Shatto has been my technical reviewer for over a decade across numerous architecture and engineering engagements within the DoD He is an awesome engineer and most importantly a good personal friend who I look to provide honest feedback He never holds back And Vaughn Willy is a Resident Engineer (RE) with Advanced Services for DoD Resident Engineers have one of the most important and toughest jobs in the business as they sit on the customer site and provide engineering and operational support for a specific customer Ankit, Mitch, and I have all been REs for Financial, Service Provider, Cloud Services, and DoD From experience I can say that Vaughn is one of the best REs in our organization This book is available in a variety of formats at: http://www.juniper.net/dayone v Welcome to Day One This book is part of a growing library of Day One books, produced and published by Juniper Networks Books Day One books were conceived to help you get just the information that you need on day one The series covers Junos OS and Juniper Networks networking essentials with straightforward explanations, step-by-step instructions, and practical examples that are easy to follow The Day One library also includes a slightly larger and longer suite of This Week books, whose concepts and test bed examples are more similar to a weeklong seminar You can obtain either series, in multiple formats: „„ Download a free PDF edition at http://www.juniper.net/dayone „„ Get the ebook edition for iPhones and iPads from the iBooks store „„ Get the ebook edition for any device that runs the Kindle app (Android, Kindle, iPad, PC, or Mac) by opening your device’s Kindle app and going to the Kindle Store „„ Purchase the paper edition at either Vervante Corporation (www vervante.com) for between $12-$28, depending on page length This Book’s Scope This Day One book will walk you through deploying your own personal DHCP and HTTP server using CentOS and configuring the server to include the DHCP configuration file It also contains tips on how to open the ports through the IPTABLES firewall, verifying the services are operational, and then monitoring the entire Zero Touch Provisioning (ZTP) process using TCPDUMP The sequence of chapters offer the reader a start-to-finish approach in a step-by-step tutorial to build, test, and deploy a working ZTP solution What You Need to Know Before Reading This Book Don’t be overwhelmed by the prerequisites listed here, as everything will be covered step-by-step: „„ Basic networking skills and understanding of IP addresses, MAC addresses, and ports and protocols „„ Root or sudo access in order to provision the DHCP and HTTP server vi „„ Internet access to download the DHCPD and HTTPD packages from the CentOS Repository „„ Familiarity with VI or a text editor in CENTOS to make changes to and create files „„ Knowledge of system administration on a UNIX platform (this would work with a Microsoft DHCP server and IIS solution, but that wasn’t tested and proven in this book’s test lab) CentOS was free and available, while the Microsoft solution is proprietary and not free, so the Day One lab did what most engineers do: tried the free one first „„ Knowledge of how to create IPTABLE entries (IPTABLES is how CENTOS deploys a firewall to protect the system) „„ Utilize TCPDUMP to verify the device is able to communicate to the server, see what events are taking place, and when they are finished „„ Understand how to start the SSHD, DHCPD, HTTPD services on the server „„ Understanding of SSH, and Secure Copy Protocol (SCP), as well as CURL „„ Understanding of the directory structure on a Linux operating system „„ You will be required to have a valid Juniper Networks account to pull the JUNOS image from the software download page By Reading This Book You Will „„ Know the difference between provisioning and Zero Touch Provisioning (ZTP) „„ Understand how the Juniper EX Series Switches and SRX Series devices utilize BOOTP/DHCP „„ Create a DHCP server, HTTP server, and TFTP Server for ZTP „„ Use CURL, TFTP, and other access methods such as SCP and SSH „„ Prepare enterprise networks for deployment „„ Automate the upgrade and configuration of devices vii MORE? It’s highly recommended that you go through the technical documentation and the minimum requirements to get a sense of the different devices and settings for different models, Linux/UNIX commands used in the lab, requirements for hypervisors, access and permissions required, and how the ZTP device sends and retrieves information using BOOTP/ DHCP before you jump in See https://www.juniper.net/techpubs/ en_US/junos13.2/topics/topic-map/ztp-overview-els.html Preface The purpose of this Day One book is to document the workflow and the process to perform Zero Touch Provisioning (ZTP) on Juniper Networks EX Series Switches The process documented here uses the fewest components and features to accomplish initial ZTP provisioning It is a training setup that you can easily adapt to your own lab equipment and preferred hosting platforms, and then practice and perfect IMPORTANT This Day One book does not go into the more advanced features of utilizing Junos Space and Network Director to provision the Dynamic Host Configuration Protocol (DHCP) configuration – hopefully, that will be covered in an Advanced ZTP Provisioning Day One book at a later date, or discovered through your own curiosity The basics covered here will provide you with a solid foundation for exploring and moving on to Junos Space and Network Director provisioning Scope This book addresses the minimum systems and tools required to perform a ZTP installation of an out-of-the-box EX Series switch or an EX Series switch that has been loaded with the factory default configuration and zeroized Juniper Networks EX Series Switches are configured with auto discovery, from the factory, that utilizes DHCP or BOOTP mechanisms This setting is on both the Out of Band (OOB) management interface me0 as well as the default VLAN, so if you plug the switch into the network using a revenue port, the VLAN interface will be utilized, and if you use the OOB management interface, that port will be utilized For the purposes of this Day One book, the OOB management interface will be utilized for ZTP viii This Book’s Lab Topology The overall system architecture required for this Day One project is pretty simple Figure P.1 depicts the network topology Figure P.1 This Book’s Lab Topology For your testing purposes, you can use an SRX100 or another EX and just create the vlan.200 and plug it in to the me0.0 (OOB) interface of the EX Series switch, here an EX2200 You should be able to follow along in your lab using this book as a guide MORE? If at any time you not understand the terminology used in this book, please refer to the Juniper Technical Documentation at http:// www.juniper.net/documentation Alternatively, you might want to review some other Day One books, such as Day One: Exploring The Junos CLI, Second Edition, or, Day One: Configuring EX Switches, 3rd Edition See http://www.juniper.net/dayone for the complete Day One library Why ZTP? There are numerous use cases and deployment scenarios that exemplify why and when to use ZTP, but here are three example use cases the author encountered that benefitted greatly from utilizing ZTP ix Use Case You are standing up an Enterprise network that consists of a myriad of EX Series Switches for your core, aggregate, and access layers The network manager has a short timeline to finalize the design, purchase the hardware, develop the configurations, install (rack and stack) the equipment, and have it all operational for their new division to start producing incredible things that will improve their bottom line You know that the purchase time on the hardware is at least forty-five days and that the power and cable infrastructure will also take at least that long In addition, you know you will only have one week for the implementers to rack and stack all of the equipment, but it will have to be unboxed in the warehouse where the asset tags, or RFID tags, will be fixed and recorded prior to being deployed You know, as well, that every Juniper EX Series switch will have to be inspected for the serial number, make, model, etc that is slotted for every specific location And being the heads up engineer that you are, you know that the chassis MAC address is also fixed to the chassis, and by adding to that address you will get the MAC address for the BOOTP auto discovery (Interesting huh?) NOTE The MAC address for an ex2200-c me0 interface is calculated by adding HEX 3F to the MAC address: EX2200> show chassis mac-addresses      FPC 0   MAC address information:       Public base address     78:fe:3d:e4:01:80       Public count            64  So, the HEX conversion of 80 to binary = 1000 0000, and HEX 3F = 0011 1111, so add HEX 3F to 80 = 1011 1111 = BF: Physical interface: me0, Enabled, Physical link is Up   Current address: 78:fe:3d:e4:01:bf, Hardware address: 78:fe:3d:e4:01:bf The default VLAN interface is found by adding to the chassis MAC-address: Physical interface: vlan, Enabled, Physical link is Up   Current address: 78:fe:3d:e4:01:81, Hardware address: 78:fe:3d:e4:01:81 On an EX4300, the IRB (integrated routing and bridging) interface is found by adding and the me0 interface is the same as the chassis MAC address: x EX4300> show chassis mac-addresses      FPC 0   MAC address information:       Public base address     10:0e:7e:a4:e3:00       Public count            96  Physical interface: me0, Enabled, Physical link is Up   Current address: 10:0e:7e:a4:e3:02, Hardware address: 10:0e:7e:a4:e3:00 Physical interface: irb, Enabled, Physical link is Up   Current address: 10:0e:7e:a4:e3:01, Hardware address: 10:0e:7e:a4:e3:01 The EX3300 is the same as the 2200: EX3300> show chassis mac-addresses      FPC 0   MAC address information:       Public base address     88:e0:f3:76:b4:40       Public count            64  Physical interface: me0, Enabled, Physical link is Up   Current address: 88:e0:f3:76:b4:42, Hardware address: 88:e0:f3:76:b4:7f Physical interface: vlan, Enabled, Physical link is Up   Current address: 88:e0:f3:76:b4:41, Hardware address: 88:e0:f3:76:b4:41 So it would appear that using a revenue/production interface for ZTP would be the safest bet to provision an EX device versus using the me0 interface The EX3300 and EX2200s add 3F to the chassis MAC address, but the EX4300 Series uses the same MAC as the chassis MAC address The safest bet is to use a production interface and just add to calculate the VLAN or IRB interface hardware MAC address For the purposes of this Day One lab the me0 interface is used Let’s take a collective look at the things you know: „„ You now know you have a deadline of one week to deploy all of the configurations and make everything work once the devices are racked and stacked „„ You already know the design „„ You know that Juniper Networks EX Series switches come with BOOTP enabled out of the box and that you can determine the exact MAC address from the label on the device „„ You have a lot of time between the purchasing decision and being able to actually touch the physical devices! So, knowing that you will be on the clock and under pressure to meet your timelines for the project, the decision is clear: ZTP is going to be your savior Why? Because you are going to use the 45 days until your 52 Day One: Deploying Zero Touch Provisioning - Banner  junspace@192.168.2.10’s password:  - JUNOS 12.3R9.4 built 2015-02-12 11:08:08 UTC {master:0} junspace@CAN1> show interfaces terse | match me0.0  me0.0                   up    up   inet     192.168.2.10/24  {master:0} junspace@CAN1> show configuration  ## Last commit: 2015-02-12 14:22:35 UTC by root version 12.3R9.4; groups {     juniper-ais {         system {             scripts {                 commit {                     allow-transients;                     file jais-SN-activate-scripts.slax {                         optional;                     }                 }             }         }         event-options {             destinations {                 juniper-aim {                     archive-sites {                         /var/tmp/;                     }                 }             }         }     } } apply-groups juniper-ais; /*  * dhcpd-generated /var/etc/dhcpd.options.conf  * Version: DHCPD release 12.3R9.4 built by builder on 2015-02-12 11:12:32 UTC  * Written: Thu Feb 12 14:18:53 2015  */ system {     host-name CAN1;     authentication-order [ password radius ];     root-authentication {         encrypted-password 12uJsJuK6hHKA; ## SECRET-DATA     }     radius-server {         192.168.2.252 {             port 1812;             secret “$9$uFP6OIhrlv8x-lKxdVbaJFn6C0BEcy”; ## SECRET-DATA             timeout 3;             retry 3;             source-address 192.168.2.10;         }     }     login {         message “\n\nYou are accessing… Chapter 4: Testing Zero Touch Provisioning And obviously, this is truncated for the sake of brevity Let’s summarize the steps in Chapter 4: „„ You verified the MAC address of the chassis and determined which interface to use „„ You connected the device to the network „„ You reviewed the default configuration „„ You watched the device boot to Amnesiac prompt that indicates it is at factory default „„ You watched the CLI state that it is going into the auto-image upgrade „„ And, once the device rebooted, you were presented with the configuration pulled from the HTTP server with a working production configuration to include hostname production interfaces and user accounts Summary This was a successful ZTP implementation using just the basics of a DHCP and HTTP server and a factory default configuration on a Juniper Networks EX2200-C-12P Series Switch „„ The server was built on VMware Fusion, on a Mac „„ The server was configured for access with IP addresses, and IPTABLE entries to allow ports 80, 67, and 68 „„ The SSHD, HTTPD, and DHCPD services were turned up „„ You should understand, in detail, the different pieces of the dhcpd.conf file „„ And finally, the ZTP test was run and it accomplished the task with very successful results NOTE The Day One lab EX Series switch pulled a new image and it had to reboot twice, which added an extra five minutes per boot The EX2200-C takes about five minutes to boot already, so the entire process took about 15-20 minutes from power up to complete load However, there was no truck role, and there was no hands-on requirement – it’s a complete set it and forget it solution 53 Appendices Appendix A: VI VI is a command-line editor that is widely used on Linux/UNIX-based platforms and is automatically loaded with virtually all versions of Linux/UNIX Table A.1 lists some of the most common commands to assist you in getting started Table A.1 Common VI Commands Input mode commands i Inserts text before cursor I Inserts text at the beginning of the current line a Appends text after cursor position A Appends text at the end of the current line o Opens a line below O Opens a line above Delete commands dw Deletes word from current position dd Deletes the entire line D Deletes from current position to end of current line x Deletes character at cursor position Change Text cw Changes word cc Changes the line C Changes to the end of the line r Replaces the single character under the cursor J Joins lines e Moves to the end of the word w Moves to the next word $ Moves to the end of the line l Moves one space right k Moves one line up j Moves one line down h Moves one space left Move cursor Appendices 55 H Moves cursor to the top line on the screen L Moves cursor to the bottom line on the screen M Moves cursor to the middle line on the screen ^ Moves cursor to the beginning of the line fx Moves cursor to first occurrence of x Marking Locations mx Marks current position with letter x `x Moves cursor to mark x ‘x Moves cursor to beginning of the line containing mark x Screen Control CTRL-d Scrolls forward one half screen CTRL-u Scrolls backwards one half screen CTRL-f Scrolls forward one screen CTRL-b Scrolls backward one screen CTRL-l Refreshes screen z z[number]G Redraws screen with current line on top Redraws screen with current line on bottom Places cursor at line number Moving text yy Yanks one line into buffer p Puts yanked lines below cursor position P Puts yanked lines above current position Escape or Last Line mode commands :w[file] :q Writes current buffer as file Quits file :q! Quits file without saving changes :wq Writes changes to file and quits :r[file] Reads file :e[file] Edits file :!command Executes a command in the shell :n Moves to line n :f Prints out current line and file name Info CTRL-G Shows size of file, current filename, and current line Other functions u /string Undoes last command Searches forward for string 56 Day One: Deploying Zero Touch Provisioning ?string Searches backward for string n Finds next string Repeats last command ESC CTRL-V ~ ZZ Moves from text input mode to command mode ** Note ** Use this to enter Last Line mode Inserts any character including special characters Changes character to opposite case Saves file and exits TIPS 5dd Deletes lines 10yy Yanks 10 lines 10CTRL-d $vi new.file i ESCAPE :wq $ Scrolls down 10 lines This command is used at the command line and tells the editor to open and place you in full screen mode at which point you can begin creating the file named new file To insert text To enter last line mode To write and exit the file Back to the command line Appendices 57 Appendix B: The CAN1.config Here is the CAN1.config that is being utilized in this book’s lab and is what was actually loaded on the HTTP server and pulled down by the EX2200 during ZTP: CAN1> show configuration | display set | no-more set version 12.3R9.4 set groups juniper-ais system scripts commit allow-transients set groups juniper-ais system scripts commit file jais-SN-activate-scripts.slax optional set groups juniper-ais event-options destinations juniper-aim archive-sites /var/tmp/ set apply-groups juniper-ais set system host-name CAN1 set system authentication-order password set system authentication-order radius set system root-authentication encrypted-password 12uJsJuK6hHKA set system radius-server 192.168.2.252 port 1812 set system radius-server 192.168.2.252 secret “$9$uFP6OIhrlv8x-lKxdVbaJFn6C0BEcy” set system radius-server 192.168.2.252 timeout set system radius-server 192.168.2.252 retry set system radius-server 192.168.2.252 source-address 192.168.2.10 set system login message “\n\nCommunications and work product are private and\ nconfidential.\n\nSee User Agreement for details.\n\n” set system login user junspace uid 2003 set system login user junspace class super-user set system login user junspace authentication encrypted-password “$1$3Q81TUw2$4YBbYpStkF4gnV npjBYSx.” set system login user lab1 uid 2005 set system login user lab1 class operator set system login user lab2 uid 2011 set system login user lab2 class operator set system login user lab3 uid 2012 set system login user lab3 class operator set system login user lab4 uid 2013 set system login user lab4 class operator set system login user lab5 uid 2014 set system login user lab5 class operator set system login user scott uid 2001 set system login user scott class super-user set system services ssh root-login allow set system services ssh max-sessions-per-connection 32 set system services netconf ssh set system services dhcp traceoptions file dhcp_logfile set system services dhcp traceoptions level all set system services dhcp traceoptions flag all set system syslog user * any emergency set system syslog host 192.168.2.40 any any set system syslog host 192.168.2.2 any any set system syslog file messages any notice set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set system syslog file default-log-messages any any set system syslog file default-log-messages match “(requested ‘commit’ operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|cm_device|(Master Unchanged, Members Changed)|(Master Changed, Members Changed)|(Master Detected, Members Changed)|(vc add)|(vc delete)|(Master detected)|(Master changed)|(Backup detected)|(Backup changed)|(interface vcp-)|(AIS_DATA_ 58 Day One: Deploying Zero Touch Provisioning AVAILABLE)” set system syslog file default-log-messages structured-data set system syslog source-address 192.168.2.10 set system ntp server 128.252.19.1 version set system ntp source-address 192.168.2.10 set interfaces interface-range DEFAULT0 member ge-0/0/2 set interfaces interface-range DEFAULT0 member “ge-0/0/[5-9]” set interfaces ge-0/0/0 unit family ethernet-switching port-mode trunk set interfaces ge-0/0/0 unit family ethernet-switching vlan members B5 set interfaces ge-0/0/1 unit family ethernet-switching set interfaces ge-0/0/2 unit family ethernet-switching port-mode trunk set interfaces ge-0/0/2 unit family ethernet-switching vlan members B5 set interfaces ge-0/0/3 unit family ethernet-switching set interfaces ge-0/0/4 unit family ethernet-switching set interfaces ge-0/0/5 unit family ethernet-switching set interfaces ge-0/0/6 disable set interfaces ge-0/0/6 unit family ethernet-switching set interfaces ge-0/0/7 disable set interfaces ge-0/0/7 unit family ethernet-switching set interfaces ge-0/0/8 disable set interfaces ge-0/0/8 unit family ethernet-switching set interfaces ge-0/0/9 disable set interfaces ge-0/0/9 unit family ethernet-switching set interfaces ge-0/0/10 disable set interfaces ge-0/0/10 unit family ethernet-switching set interfaces ge-0/0/11 disable set interfaces ge-0/0/11 unit family ethernet-switching set interfaces ge-0/1/0 disable set interfaces ge-0/1/0 unit family ethernet-switching set interfaces ge-0/1/1 disable set interfaces ge-0/1/1 unit family ethernet-switching set interfaces lo0 unit family inet6 address 2001:db8::2/128 set interfaces me0 unit family inet filter input MGT_FILTER set interfaces me0 unit family inet address 192.168.2.10/24 set interfaces vlan unit family inet address 10.1.5.13/24 set snmp client-list 192.168.1.0/24 set snmp client-list 192.168.2.0/24 set snmp community “CAct1SNMP” set snmp trap-options source-address 192.168.2.10 set snmp trap-group networkdirector_trap_group version all set snmp trap-group networkdirector_trap_group destination-port 10162 set snmp trap-group networkdirector_trap_group categories authentication set snmp trap-group networkdirector_trap_group categories chassis set snmp trap-group networkdirector_trap_group categories link set snmp trap-group networkdirector_trap_group categories configuration set snmp trap-group networkdirector_trap_group categories services set snmp trap-group space targets 192.168.2.61 set forwarding-options helpers bootp server 192.168.2.252 set event-options policy target_add_test events snmpd_trap_target_add_notice set event-options policy target_add_test events coldStart set event-options policy target_add_test then raise-trap set routing-options static route 0.0.0.0/0 next-hop 192.168.2.1 set routing-options static route 0.0.0.0/0 no-readvertise set protocols igmp-snooping vlan all set protocols rstp set protocols lldp interface all set protocols lldp interface me0.0 set protocols lldp-med interface all set policy-options prefix-list SSH 192.168.2.0/24 set policy-options prefix-list SSH 192.168.4.0/24 set policy-options prefix-list SSH 192.168.5.2/32 set set set set set set set set set set set set set set set set set set set set set set set set set set set Appendices 59 policy-options policy-statement OSPF-LOCAL-DIRECT-STATIC from protocol direct policy-options policy-statement OSPF-LOCAL-DIRECT-STATIC from protocol local policy-options policy-statement OSPF-LOCAL-DIRECT-STATIC from protocol static policy-options policy-statement OSPF-LOCAL-DIRECT-STATIC then accept firewall family inet filter MGT_FILTER term SSH from source-prefix-list SSH firewall family inet filter MGT_FILTER term SSH from destination-port ssh firewall family inet filter MGT_FILTER term SSH then count MGT.SSH firewall family inet filter MGT_FILTER term SSH then accept firewall family inet filter MGT_FILTER term ICMP from source-address 192.168.2.0/24 firewall family inet filter MGT_FILTER term ICMP from destination-address 192.168.2.10/32 firewall family inet filter MGT_FILTER term ICMP from protocol icmp firewall family inet filter MGT_FILTER term ICMP then count MGT.ICMP firewall family inet filter MGT_FILTER term ICMP then accept firewall family inet filter MGT_FILTER term SNMP from source-address 192.168.2.0/24 firewall family inet filter MGT_FILTER term SNMP from destination-port snmp firewall family inet filter MGT_FILTER term SNMP then count MGT.SNMP firewall family inet filter MGT_FILTER term SNMP then accept firewall family inet filter MGT_FILTER term ALL_OTHERS then count MGT.REJECT firewall family inet filter MGT_FILTER term ALL_OTHERS then log firewall family inet filter MGT_FILTER term ALL_OTHERS then reject ethernet-switching-options analyzer port-mirror input ingress interface ge-0/0/11.0 ethernet-switching-options analyzer port-mirror input egress interface ge-0/0/11.0 ethernet-switching-options analyzer port-mirror output interface ge-0/0/10.0 ethernet-switching-options storm-control interface all vlans B5 vlan-id vlans B5 l3-interface vlan.5 vlans VRF_S interface ge-0/0/1.0 Appendix C: SRX100 Configuration Here is the configuration used in this book’s lab for those who may not be familiar with the device It uses an OOB network for the me0.0 interface You can see the interfaces that the CAN1 EX2200-C is connected to (fe-0/0/6), as well as the DHCP server (fe-0/0/4), are also located: SRX> show arp no-resolve MAC Address Address Interface 2c:21:72:ce:8f:88 192.168.2.1 vlan.200 78:fe:3d:e4:01:bf 192.168.2.10 vlan.200 08:00:27:04:f3:a3 192.168.2.252 vlan.200 a8:20:66:27:06:19 192.168.2.254 vlan.200 Total entries: Flags none none none none SRX> show ethernet-switching table Ethernet-switching table: 11 entries, learned, persistent entries VLAN MAC address Type Age Interfaces LAB * Flood - All-members LAB 00:30:67:a5:02:c4 Learn fe-0/0/4.0 LAB 2c:21:72:ce:8f:88 Learn fe-0/0/0.0 LAB 28:c0:da:e3:db:48 Static - Router LAB 08:00:27:04:f3:a3 Learn fe-0/0/4.0 LAB 5c:45:27:b1:72:3f Learn fe-0/0/3.0 60 Day One: Deploying Zero Touch Provisioning LAB LAB LAB LAB LAB 5c:45:27:e7:9b:3f 5c:45:27:e7:e8:3f 78:fe:3d:e4:01:bf a8:20:66:27:06:19 cc:e1:7f:8f:7a:ff Learn Learn Learn Learn Learn 0 0 fe-0/0/5.0 fe-0/0/2.0 fe-0/0/6.0 fe-0/0/0.0 fe-0/0/7.0 set version 12.1X46-D35.1 set system host-name SRX set system root-authentication encrypted-password “$1$miqicQsf$rrW6v.wnPDKIr9ecw30” set system name-server 208.67.222.222 set system name-server 208.67.220.220 set system login user junspace uid 2004 set system login user junspace class super-user set system login user junspace authentication encrypted-password “$1$pMhYH/ gB$s1TEv5EFFQMe0NN72h.” set system services ssh root-login allow set system services ssh max-sessions-per-connection 32 set system services xnm-clear-text set system services netconf ssh set system services dhcp traceoptions file DHCP_CAP set system services dhcp traceoptions file size 1m set system services dhcp traceoptions file files set system services dhcp traceoptions flag all set system syslog archive size 100k set system syslog archive files set system syslog user * any emergency set system syslog file messages any critical set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands error set system syslog file default-log-messages any info set system syslog file default-log-messages match “(requested ‘commit’ operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES|(AIS_DATA_AVAILABLE)” set system syslog file default-log-messages structured-data set system max-configurations-on-flash set system max-configuration-rollbacks set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set interfaces fe-0/0/0 unit family ethernet-switching vlan members LAB set interfaces fe-0/0/1 unit family ethernet-switching vlan members LAB set interfaces fe-0/0/2 unit family ethernet-switching vlan members LAB set interfaces fe-0/0/3 unit family ethernet-switching vlan members LAB set interfaces fe-0/0/4 unit family ethernet-switching vlan members LAB set interfaces fe-0/0/5 unit family ethernet-switching vlan members LAB set interfaces fe-0/0/6 unit family ethernet-switching vlan members LAB set interfaces fe-0/0/7 unit family ethernet-switching vlan members LAB set interfaces vlan unit 200 family inet address 192.168.2.9/24 set snmp community “CAct1SNMP” set snmp trap-group space targets 192.168.2.61 set snmp trap-group space targets 192.168.2.22 set routing-options static route 0.0.0.0/0 next-hop 192.168.2.1 set protocols lldp interface all set protocols lldp interface fe-0/0/0.0 disable set protocols rstp interface fe-0/0/0.0 disable set protocols rstp interface fe-0/0/2.0 disable set protocols rstp interface fe-0/0/3.0 disable set protocols rstp interface all edge set security zones security-zone LAB interfaces fe-0/0/7.0 set security zones security-zone LAB interfaces fe-0/0/0.0 Appendices 61 set security zones security-zone LAB set security zones security-zone LAB set security zones security-zone LAB set security zones security-zone LAB set security zones security-zone LAB set security zones security-zone LAB set security zones security-zone LAB services ping set security zones security-zone LAB services ssh set security zones security-zone LAB services netconf set security zones security-zone LAB services https set security zones security-zone LAB services http set security zones security-zone LAB services ntp set security zones security-zone LAB services snmp set security zones security-zone LAB services snmp-trap set security zones security-zone LAB services traceroute set security zones security-zone LAB services dhcp set vlans LAB vlan-id 200 set vlans LAB l3-interface vlan.200 interfaces interfaces interfaces interfaces interfaces interfaces interfaces fe-0/0/1.0 fe-0/0/2.0 fe-0/0/3.0 fe-0/0/4.0 fe-0/0/5.0 fe-0/0/6.0 vlan.200 host-inbound-traffic system- interfaces vlan.200 host-inbound-traffic systeminterfaces vlan.200 host-inbound-traffic systeminterfaces vlan.200 host-inbound-traffic systeminterfaces vlan.200 host-inbound-traffic systeminterfaces vlan.200 host-inbound-traffic systeminterfaces vlan.200 host-inbound-traffic systeminterfaces vlan.200 host-inbound-traffic systeminterfaces vlan.200 host-inbound-traffic systeminterfaces vlan.200 host-inbound-traffic system- Appendix D ZTP Capable Devices These Appendices only capture three different devices Other ZTP capable devices running the Junos OS are: „„ EX2200 „„ EX2200-C „„ EX3200 „„ EX3300 „„ EX4200 „„ EX4300 „„ EX4500 „„ EX4550 „„ QFX10002 MORE? For a complete list of ZTP capable devices check out pathfinder juniper.net for a list of devices that are ZTP capable: 62 Day One: Deploying Zero Touch Provisioning Calculating the MAC Address of the me0 Interface On an EX Series As stated previously the MAC address of a device is clearly printed on the outside of the hardware so there is no need to log in to the device to find the hardware address of the me0 interface or the default VLAN interface The following image was taken from the EX2200 used in the Day One lab You can also see that the chassis MAC address is accessible from the command line if needed: EX2200> show chassis mac-addresses      FPC   MAC address information:       Public base address     78:fe:3d:e4:01:80       Public count            64  HEX conversion of 80 to binary = 1000 0000 HEX 3F in binary = 0011 1111 Add 3F to 80 = 1011 1111 = BF: Physical interface: me0, Enabled, Physical link is Up   Current address: 78:fe:3d:e4:01:bf, Hardware address: 78:fe:3d:e4:01:bf The default VLAN interface is found by adding 1: Physical interface: vlan, Enabled, Physical link is Up   Current address: 78:fe:3d:e4:01:81, Hardware address: 78:fe:3d:e4:01:81 On an EX4300 the IRB interface is found by adding and the me0 interface is the same as the chassis MAC address: EX4300> show chassis mac-addresses      FPC   MAC address information:       Public base address     10:0e:7e:a4:e3:00       Public count            96  Physical interface: me0, Enabled, Physical link is Up   Current address: 10:0e:7e:a4:e3:02, Hardware address: 10:0e:7e:a4:e3:00 Physical interface: irb, Enabled, Physical link is Up Appendices 63   Current address: 10:0e:7e:a4:e3:01, Hardware address: 10:0e:7e:a4:e3:01 The EX3300 is the same as the 2200: EX3300> show chassis mac-addresses      FPC   MAC address information:       Public base address     88:e0:f3:76:b4:40       Public count            64  Physical interface: me0, Enabled, Physical link is Up   Current address: 88:e0:f3:76:b4:42, Hardware address: 88:e0:f3:76:b4:7f Physical interface: vlan, Enabled, Physical link is Up   Current address: 88:e0:f3:76:b4:41, Hardware address: 88:e0:f3:76:b4:41 This example dhcpd.conf file uses the me0 interface, so we had to add 3F to the chassis MAC-address to get 78:fe:3d:e4:01:bf for the lab It would have been just as easy to add to the chassis MAC address and plug the cat-5 cable into any revenue port APPENDIX E Here’s the complete boot capture from the console connection: Sep 29 21:20:42 init: multicast-snooping (PID 1275) stopped by signal 17 Sep 29 21:20:42 init: sflow-service (PID 1274) stopped by signal 17 Sep 29 21:20:42 init: lldpd-service (PID 1273) stopped by signal 17 Sep 29 21:20:42 init: vchassis-diag-manager (PID 1271) stopped by signal 17 Sep 29 21:20:42 init: pki-service (PID 1270) stopped by signal 17 Sep 29 21:20:42 init: shm-rtsdbd (PID 1269) stopped by signal 17 Sep 29 21:20:42 init: secure-neighbor-discovery (PID 1268) stopped by signal 17 Sep 29 21:20:42 init: redundancy-device (PID 1267) stopped by signal 17 Sep 29 21:20:42 init: bdbrepd (PID 1265) stopped by signal 17 Sep 29 21:20:42 init: smid (PID 1264) stopped by signal 17 Sep 29 21:20:42 init: neighbor-liveness (PID 1261) stopped by signal 17 Sep 29 21:20:42 init: firewall (PID 1260) stopped by signal 17 Sep 29 21:20:42 init: periodic-packet-services (PID 1259) stopped by signal 17 Sep 29 21:20:42 init: class-of-service (PID 1258) stopped by signal 17 Sep 29 21:20:42 init: pfed (PID 1257) stopped by signal 17 Sep 29 21:20:42 init: sntp (PID 1256) stopped by signal 17 Sep 29 21:20:42 init: routing (PID 1255) stopped by signal 17 Sep 29 21:20:42 init: mib-process (PID 1254) stopped by signal 17 Sep 29 21:20:42 init: snmp (PID 1253) stopped by signal 17 Sep 29 21:20:42 init: ethernet-connectivity-fault-management (PID 1252) stopped by signal 17Terminated root@CAN1:RE:0% SWaiting (max 60 seconds) for system process `vnlru’ to stop done Waiting (max 60 seconds) for system process `vnlru_mem’ to stop done Waiting (max 60 seconds) for system process `bufdaemon’ to stop done Waiting (max 60 seconds) for system process `syncer’ to stop Syncing disks, vnodes remaining 1 0 done syncing disks All buffers synced Uptime: 5d7h21m14s Rebooting 64 Day One: Deploying Zero Touch Provisioning U-Boot 1.1.6 (Jun 29 2011 - 11:08:23) Board: EPLD: DRAM: Flash: EX2200-C-12P-2G 4.5 Version 14 (0x02) Initializing (512MB) MB Firmware Version:01.00.00 USB: scanning bus for devices USB Device(s) found scanning bus for storage devices Storage Device(s) found ELF file is 32 bit Consoles: U-Boot console FreeBSD/arm U-Boot loader, Revision 1.1 (builder@svl-junos-pool91.juniper.net, Tue Apr 00:15:22 UTC 2011) Memory: 512MB bootsequencing is enabled bootsuccess is set new boot device = disk0s2: Loading /boot/defaults/loader.conf /kernel data=0x889590+0xdd8ac syms=[0x4+0xf0f80+0x4+0xc89d0] Hit [Enter] to boot immediately, or space bar for command prompt Booting [/kernel] Kernel entry at 0x1400100 GDB: debug ports: uart GDB: current port: uart KDB: debugger backends: ddb gdb KDB: current backend: ddb Copyright (c) 1996-2015, Juniper Networks, Inc All rights reserved Copyright (c) 1992-2006 The FreeBSD Project Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California All rights reserved JUNOS 12.3R11.2 #0: 2015-09-24 11:14:53 UTC builder@kessuth.juniper.net:/volume/build/junos/12.3/release/12.3R11.2/obj-arm/junos/ bsd/kernels/JUNIPER-EX-2200/kernel can’t re-use a leaf (all_slot_serialid)! CPU: Feroceon 88FR131 rev (Marvell core) cpu53: Feroceon 88FR131 revision WB enabled EABT branch prediction enabled 16KB/32B 4-way Instruction cache 16KB/32B 4-way write-back-locking-C Data cache real memory = 536870912 (512 MB) avail memory = 503205888 (479 MB) SOC: Marvell 88F6281 rev A0, TClock 200MHz Security policy loaded: Junos MAC/veriexec (mac_veriexec) MAC/veriexec fingerprint module loaded: SHA256 MAC/veriexec fingerprint module loaded: SHA1 ETHERNET SOCKET BRIDGE initialising Initializing EXSERIES properties mbus0: on motherboard ic0: at mem 0xf1020200-0xf102023b on mbus0 timer0: at mem 0xf1020300-0xf102032f irq on mbus0 gpio0: at mem 0xf1010100-0xf101011f irq 35,36,37,38,39,40,41 on mbus0 uart0: at mem 0xf1012000-0xf101201f irq 33 on mbus0 uart0: console (9600,n,8,1) uart1: at mem 0xf1012100-0xf101211f irq 34 on mbus0 ehci0: at mem 0xf1050000-0xf1050fff irq 48,19 on mbus0 usb0: EHCI version 1.0 usb0 on ehci0 usb0: USB revision 2.0 uhub0: Marvell EHCI root hub, class 9/0, rev 2.00/1.00, addr Appendices 65 uhub0: port with removable, self powered uhub1: vendor 0x04b4 product 0x6560, class 9/0, rev 2.00/90.15, addr uhub1: single transaction translator uhub1: ports with removable, self powered umass0: STMicroelectronics ST72682 High Speed Mode, rev 2.00/2.10, addr mge0: at mem 0xf1072000-0xf1073fff irq 12,13,14,11,46 on mbus0 mge0: hardware MAC address 78:fe:3d:e4:01:bf miibus0: on mge0 e1000phy0: on miibus0 e1000phy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX-FDX, auto i2c0: at mem 0xf1011000-0xf101101f irq 29 on mbus0 syspld0: on i2c0 poe0: on i2c0 cfi0: at mem 0xf1010600-0xf101062f,0xf8000000-0xf87fffff irq 23 on mbus0 mpfe0: at mem 0xf4000000-0xf7ffffff irq 113 on mbus0 pcib0: at mem 0xf10400000xf1041fff,0xe8000000-0xefffffff irq on mbus0 pci0: on pcib0 Initializing product: 119 bmeb: bmeb_lib_init done 0xc338a800, addr 0xc1d608e8 bme0:Virtual BME driver initializing Timecounter “CPU Timer” frequency 200000000 Hz quality 1000 ###PCB Group initialized for udppcbgroup ###PCB Group initialized for tcppcbgroup da0 at umass-sim0 bus target lun da0: Removable Direct Access SCSI-2 device da0: 40.000MB/s transfers da0: 1000MB (2048000 512 byte sectors: 64H 32S/T 1000C) Kernel thread “wkupdaemon” (pid 42) exited prematurely Trying to mount root from ufs:/dev/da0s2a Attaching /packages/jbase via /dev/mdctl Mounted jbase package on /dev/md0 Verified manifest signed by PackageProduction_12_3_0 Verified jboot signed by PackageProduction_12_3_0 Verified jbase-ex-12.3R11.2 signed by PackageProduction_12_3_0 Mounted fips-mode-arm package on /dev/md1 Verified manifest signed by PackageProduction_12_3_0 Verified fips-mode-arm-12.3R11.2 signed by PackageProduction_12_3_0 Mounted jcrypto-ex package on /dev/md2 Verified manifest signed by PackageProduction_12_3_0 Verified jcrypto-ex-12.3R11.2 signed by PackageProduction_12_3_0 Mounted jdocs-ex package on /dev/md3 Verified manifest signed by PackageProduction_12_3_0 Verified jdocs-ex-12.3R11.2 signed by PackageProduction_12_3_0 Mounted jkernel-ex-2200 package on /dev/md4 Verified manifest signed by PackageProduction_12_3_0 Verified jkernel-ex-2200-12.3R11.2 signed by PackageProduction_12_3_0 Mounted jpfe-ex22x package on /dev/md5 Verified manifest signed by PackageProduction_12_3_0 Verified jpfe-ex22x-12.3R11.2 signed by PackageProduction_12_3_0 Mounted jroute-ex package on /dev/md6 Verified manifest signed by PackageProduction_12_3_0 Verified jroute-ex-12.3R11.2 signed by PackageProduction_12_3_0 Mounted jswitch-ex package on /dev/md7 Verified manifest signed by PackageProduction_12_3_0 Verified jswitch-ex-12.3R11.2 signed by PackageProduction_12_3_0 Mounted jweb-ex package on /dev/md8 Verified manifest signed by PackageProduction_12_3_0 Verified jweb-ex-12.3R11.2 signed by PackageProduction_12_3_0 Executing /packages/mnt/jweb-ex-12.3R11.2/mount.post Automatic reboot in progress Media check on da0 on ex platforms ** /dev/da0s2a 66 Day One: Deploying Zero Touch Provisioning FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 36938 free (10 frags, 4616 blocks, 0.0% fragmentation) ** /dev/da0s3e FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 62178 free (154 frags, 7753 blocks, 0.2% fragmentation) Computing slice and partition sizes for /dev/da0 savecore: could not be determined No dump exists ** /dev/da0s3d FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 188909 free (29 frags, 23610 blocks, 0.0% fragmentation) ** /dev/da0s4d FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 31663 free (23 frags, 3955 blocks, 0.1% fragmentation) rm: /var/etc/pam.conf: Operation not permitted Creating initial configuration mgd: error: Cannot open configuration file: /config/ juniper.conf mgd: warning: activating factory configuration mgd: Running FIPS Self-tests veriexec: no signatures for device file=’/sbin/kats/cannot-exec’ fsid=69 fileid=51404 gen=1 uid=0 pid=467 mgd: FIPS Self-tests Passed mgd: commit complete mgd: -mgd: Please login as ‘root’ No password is required mgd: To start Initial Setup, type ‘ezsetup’ at the JUNOS prompt mgd: To start JUNOS CLI, type ‘cli’ at the JUNOS prompt mgd: -Setting initial options: debugger_on_panic=NO debugger_on_break=NO Starting optional daemons: Doing initial network setup: Initial interface configuration: additional daemons: Additional routing options:kern.module_path: /boot//kernel;/boot/modules -> /boot/modules;/ modules/peertype;/modules/ifpfe_drv;/modules/platform;/modules; kld netpfe drv: ifpfed_eth ifpfed_ml_cmnkld platform: ex_ifpfeLoading the EX-series platform NETPFE module if_vcpkld peertype: peertype_hcm peertype_pfem peertype_sfi peertype_slavere grat_arp_on_ ifup=YES: net.link.ether.inet.grat_arp_on_ifup: -> ipsec kld Doing additional network setup: Starting final network daemons: setting ldconfig path: /usr/lib /opt/lib starting standard daemons: cron Local package initialization: Initialize /var subdirs starting local daemons:set cores for group access Thu Sep 24 14:05:25 UTC 2015 Boot media /dev/da0 has dual root support FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 43287 free (31 frags, 5407 blocks, 0.0% fragmentation) Amnesiac (ttyu0) login: ...DAY ONE: Deploying Zero Touch Provisioning Zero Touch Provisioning (ZTP) involves a lot of UNIX configuration and very little EX... DAY ONE AND YOU HAVE A JOB TO DO, SO LEARN HOW TO: n Know the difference between provisioning and Zero Touch Provisioning (ZTP) n Understand how the EX Series Switches and SRX Series devices... Networks Books ISBN 978-1941441299 781941 441299 51600 Juniper Network Technologies Day One: Deploying Zero Touch Provisioning By Scott Reisinger Preface