The Hitchhiker's Guide to Networking

JUNOS Built in Time Domain Reflectometer (TDR)

One handy feature that often goes overlooked and unused is the built-in TDR function in Juniper switches.

Here is a quick example on how to start the TDR test and then how to show the test results.

For comparison I have performed one on a cable that is jacked up against a known good cable between two EX2200-C's

##Set the cli timestamp so we get an idea of how long this takes

{master:0}

junspace@CDN1> set cli timestamp

Oct 03 10:49:04

CLI timestamp set to: %b %d %T

##Initiate the test

junspace@CDN1> request diagnostics tdr start interface ge-0/0/4

Oct 03 10:49:22

Interface TDR detail:

Test status : Test successfully executed ge-0/0/4

##Show the results

{master:0}

junspace@CDN1> show diagnostics tdr interface ge-0/0/4

Oct 03 10:49:43

Interface TDR detail:

Interface name : ge-0/0/4

Test status : Started

{master:0}

junspace@CDN1> show diagnostics tdr interface ge-0/0/4

Oct 03 10:49:50

Interface TDR detail:

Interface name : ge-0/0/4

Test status : Passed

Link status : Down

MDI pair : 1-2

Cable status : Open

Distance fault : 0 Meters

Polartiy swap : N/A

Skew time : N/A

MDI pair : 3-6

Cable status : Open

Distance fault : 0 Meters

Polartiy swap : N/A

Skew time : N/A

MDI pair : 4-5

Cable status : Open

Distance fault : 0 Meters

Polartiy swap : N/A

Skew time : N/A

MDI pair : 7-8

Cable status : Short on Pair-3

Distance fault : 0 Meters

Polartiy swap : N/A

Skew time : N/A

Channel pair : 1

Pair swap : N/A

Channel pair : 2

Pair swap : N/A

Downshift : N/A

##RESULTS: The test completed but we can see that there is a short on Pair3 and the other MDI Pairs are open. Now for a good cable to compare against

{master:0}

junspace@CDN1> request diagnostics tdr start interface ge-0/0/11

Oct 03 10:50:48

Interface TDR detail:

Test status : Test successfully executed ge-0/0/11

{master:0}

junspace@CDN1> show diagnostics tdr interface ge-0/0/11

Oct 03 10:51:00

Interface TDR detail:

Interface name : ge-0/0/11

Test status : Started

{master:0}

junspace@CDN1> show diagnostics tdr interface ge-0/0/11

Oct 03 10:51:09

Interface TDR detail:

Interface name : ge-0/0/11

Test status : Started

{master:0}

junspace@CDN1> show diagnostics tdr interface ge-0/0/11

Oct 03 10:51:14

Interface TDR detail:

Interface name : ge-0/0/11

Test status : Started

{master:0}

junspace@CDN1> show diagnostics tdr interface ge-0/0/11

Oct 03 10:51:19

Interface TDR detail:

Interface name : ge-0/0/11

Test status : Passed

Link status : UP

MDI pair : 1-2

Cable status : Normal

Distance fault : 0 Meters

Polartiy swap : Normal

Skew time : 0 ns

MDI pair : 3-6

Cable status : Normal

Distance fault : 0 Meters

Polartiy swap : Normal

Skew time : 8 ns

MDI pair : 4-5

Cable status : Normal

Distance fault : 0 Meters

Polartiy swap : Normal

Skew time : 0 ns

MDI pair : 7-8

Cable status : Normal

Distance fault : 0 Meters

Polartiy swap : Normal

Skew time : 0 ns

Channel pair : 1

Pair swap : MDI

Channel pair : 2

Pair swap : MDI

Downshift : No Downshift

## There we go all normal. TDR diagnostics is a good tool when you don't have a fluke around and you have an access cable that is acting up. Just give it a test.

Juniper Networks SRX, branch and campus series, support Dynamic SSL VPN out of the box.

While this is a licensed service it comes with two FREE licenses on the device, which is PERFECT for SOHO or Branch office remote access.

The devices that support this are:

·      SRX100
·      SRX110
·      SRX210
·      SRX220
·      SRX240
·      SRX550
·      SRX650

Check the software for support details but most all of the devices support dyn-vpn after 10.0

user@srx> show system license

License usage:

Licenses Licenses Licenses Expiry

Feature name used installed needed

dynamic-vpn 0 2 0 permanent

ax411-wlan-ap 0 2 0 permanent

I'll post both the JUNOS default Hierarchy and the Set Based JUNOS output in this

user@srx> show configuration groups DYNVPN | display set

set groups DYNVPN security ike policy ike-dyn-vpn-policy mode aggressive

set groups DYNVPN security ike policy ike-dyn-vpn-policy proposal-set standard

set groups DYNVPN security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$9$su2oZjT3n60OLx7dYgJGD"

set groups DYNVPN security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy

set groups DYNVPN security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn

set groups DYNVPN security ike gateway dyn-vpn-local-gw dynamic connections-limit 2

set groups DYNVPN security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id

set groups DYNVPN security ike gateway dyn-vpn-local-gw external-interface fe-0/0/2.0

set groups DYNVPN security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile

set groups DYNVPN security ipsec policy ipsec-dyn-vpn-policy proposal-set standard

set groups DYNVPN security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw

set groups DYNVPN security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy

set groups DYNVPN security dynamic-vpn access-profile dyn-vpn-access-profile

set groups DYNVPN security dynamic-vpn clients all remote-protected-resources 192.168.20.0/24

set groups DYNVPN security dynamic-vpn clients all remote-exceptions 0.0.0.0/0

set groups DYNVPN security dynamic-vpn clients all ipsec-vpn dyn-vpn

set groups DYNVPN security dynamic-vpn clients all user client1

set groups DYNVPN security dynamic-vpn clients all user client2

set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy match source-address any

set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy match destination-address any

set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy match application junos-ping

set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy match application junos-ssh

set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy match application junos-ike

set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy match application junos-https

set groups DYNVPN security policies from-zone untrust to-zone lab policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn

set groups DYNVPN access profile dyn-vpn-access-profile client client1 firewall-user password "$9Q3/AuQFA0OByrs2gaDi.P5Qz3"

set groups DYNVPN access profile dyn-vpn-access-profile client client2 firewall-user password "$9$4Ia3/.P39CAIRNdVsoJDik.mf"

set groups DYNVPN access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool

set groups DYNVPN access address-assignment pool dyn-vpn-address-pool family inet network 192.168.14.0/30

set groups DYNVPN access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 4.2.2.2/32

set groups DYNVPN access firewall-authentication web-authentication default-profile dyn-vpn-access-profile

userr@srx > show configuration groups

DYNVPN {

security {

ike {

policy ike-dyn-vpn-policy {

mode aggressive;

proposal-set standard;

pre-shared-key ascii-text "$9$sFikT3nLx7dYgJGD"; ## SECRET-DATA

}

gateway dyn-vpn-local-gw {

ike-policy ike-dyn-vpn-policy;

dynamic {

hostname dynvpn;

connections-limit 2;

ike-user-type group-ike-id;

}

external-interface fe-0/0/2.0;

xauth access-profile dyn-vpn-access-profile;

}

ipsec {

policy ipsec-dyn-vpn-policy {

proposal-set standard;

}

vpn dyn-vpn {

ike {

gateway dyn-vpn-local-gw;

ipsec-policy ipsec-dyn-vpn-policy;

}

dynamic-vpn {

access-profile dyn-vpn-access-profile;

clients {

all {

remote-protected-resources {

192.168.20.0/24;

}

remote-exceptions {

0.0.0.0/0;

}

ipsec-vpn dyn-vpn;

user {

user1;

user2;

}

policies {

from-zone untrust to-zone lab {

policy dyn-vpn-policy {

match {

source-address any;

destination-address any;

application [ junos-ping junos-ssh junos-ike junos-https ];

}

then {

permit {

tunnel {

ipsec-vpn dyn-vpn;

}

access {

profile dyn-vpn-access-profile {

client client1 {

firewall-user {

password "$9$U8jkmTyrs2gaDi.P5Qz3"; ## SECRET-DATA

}

client client2 {

firewall-user {

password "$9$49CAIVsoJDik.mf"; ## SECRET-DATA

}

address-assignment {

pool dyn-vpn-address-pool;

}

address-assignment {

pool dyn-vpn-address-pool {

family inet {

network 192.168.14.0/30;

xauth-attributes {

primary-dns 4.2.2.2/32;

}

firewall-authentication {

web-authentication {

default-profile dyn-vpn-access-profile;

}

Now with Pulse Secure (previously known as JUNOS Pulse) you configure the information and hit connect. Once connected you will have a secure tunnel.

A quick $ifconfig utun1 on my mac shows:

utun1: flags=8051 mtu 1500

inet 192.168.14.1 --> 192.168.14.1 netmask 0xffffffff

You can also just point your web browser at your external IP and log in as well but Pulse Secure is very easy to use.

Now that you have your tunnel up you are authorized to access your protected devices remotely.

You will notice I used a group configuration to place the DYNVPN settings into. I did this so I can turn it on when I need it and leave it off when I don’t. I don’t want to expose the web interface to the public Internet when I am not using it.

By placing the configuration into a group I can just enable it with

#set apply-groups DYNVPN

#commit

and disable by

#deactivate apply-groups DYNVPN

#commit

The point of this post is that not only will the SRX protect your SOHO, Branch Office or Campus exceptionally well but also it provides additional features such as Dynamic VPN, UTM, AV IPS.

The Hitchhiker's Guide to Networking

Saturday, October 3, 2015

Saturday, August 22, 2015

EASY - DYNAMIC SSL VPN on SRX210

About Me

Blog Archive