Andrew Roderos

Tech Geek

Blog

Blocking ads network-wide with Pi-hole

by 2 Comments

I think it’s safe to say that the majority of people hate ads. However, it is a necessary evil since we all love free stuff. Whether that’s YouTube content, email service, etc., we want it for free. Some people install ad blocker add-ons on their browsers, and they work great. Some tech-savvy folks go even further by blocking ads network-wide. Today’s post is how to block ads network-wide.

Why block ads?

I love ads! Said no one, ever.

People have different opinions about ads. However, generally, people hate ads. Some common reasons are the following:

  • Pervasive
  • Intrusive
  • Obnoxious
  • And many more

For the most part, I agree with this list. However, some creators know how to be responsible with their content monetization. Not being responsible can affect the user experience. As a result, viewership goes down, or users find ways to block ads, which results to lower ad revenue.

Malvertising

What this list doesn’t have is malvertising or malicious advertising. It is one of my reasons why I block ads. It is, after all, a security issue. If you are unfamiliar with the term, please visit this site.

Essentially, cybercriminals pay an advertising network to display malicious ads that will redirect users to a compromised server. Malvertising can perform the following attacks on users without clicking anything:

  • A “drive-by” download. It is a type of attack that downloads and installs malware or adware.
  • Redirects to a phishing site.
  • Redirects to a site with fraud advertising. Some of these fraud ads will instruct users to download software to clean their computers.
  • The list goes on.

Enter Pi-hole

block ads using pi-hole

Pi-hole is a free and open-source software (FOSS) project. It was created by Jacob Salmela as an alternative to AdTrap back in 2014.

It is a Linux-based application that allows users to block advertisements and internet trackers at the network level. Originally designed to work with embedded devices like Raspberry Pi; hence, the name Pi-hole.

For several years, Pi-hole has known to work with other operating systems. But, now, the project officially supports several Linux distros, including my distro of choice, which is Ubuntu.

Linux VM

I chose the virtual machine route this time since I had issues with internal DNS resolutions back in 2016 or 2017 when I used a pre-packaged Pi-hole Docker container. With the conditional forwarding feature, that issue should no longer exist and I may consider moving to a Docker container again in the future.

Related: VMware ESXi Home Lab – Intel NUC 10 (Frost Canyon)

My network currently has three ESXi servers. I assembled one of them back in 2012, one in 2016, and one this year.

Specs of my Pi-hole VM are the following:

  • 1 x vCPU
  • 768 MB of RAM
  • 1 x vNIC
  • 8 GB of disk space

Preliminary steps

Pi-hole needs a static IP address. We can approach this in two ways. One is statically assigning an IP address to the server. The other is to use a DHCP reservation. I prefer to assign an IP address on my servers.

Before Ubuntu 18.04, assigning a static IP address is controlled via the/etc/network/interfaces file. Now, it’s a YAML file that needs to be modified which is the /etc/netplan/50-cloud-init.yaml file.

Since I used the VMXNET3 network adapter type, the interface name is ens160. Under the interface, we need to change the DHCP line from true to false. Then, assign an IP address to the interface. Alternatively, we can delete the dhcp4: true line.

# This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    ethernets:
        ens160:
            addresses:
                    - 192.168.100.53/24
            gateway4: 192.168.100.1
            nameservers:
                addresses:
                    - 208.67.222.222
                    - 207.67.220.220
    version: 2

After saving the changes to the YAML file, we need to apply the changes. Issue the command as seen below for the changes to take effect.

$ sudo netplan apply

Finally, we’re on the last command in the preliminary steps. We now need to make sure our Ubuntu Linux is up to date.

$ sudo apt update && sudo apt dist-upgrade -y

Pi-hole installation

Installing Pi-hole is quite easy. We just need to issue a one-line command.

$ curl -sSL https://install.pi-hole.net | bash

You may be thinking that this is a risky command to issue. Pi-hole wrote a post on why curling and piping to bash is controversial. If you don’t trust what this command does, then head over to their GitHub for alternative methods of installation.

In the installation wizard, you can leave everything as default. If you ever need to change it, then you can do it after installation using the admin page.

Eventually, you’ll reach the end of the installation wizard, and it will provide you a random password. It also shows you how to access the WebUI to make additional configurations.

Post-installation

The default values in the installation wizard are enough for a typical home environment. That said, no need to make any changes by logging into the admin page except to change the default password that was created by the installation wizard.

Change default password

To change the password, you need to issue one command, as can be seen below.

$ sudo pihole -a -p
Enter New Password (Blank for no password): makemypasswordgreatagain
Confirm Password: makemypasswordgreatagain
  [✓] New password set

Conditional forwarding

As previously mentioned, I run an internal DNS in my network. I may consider moving everything to Pi-hole, but not at this time. That said, I configured the conditional forwarding feature. You’d want to do this if you have a similar environment like mine.

To configure, click on Settings DNS and then scroll down until you find the Conditional Forwarding section.

Pi-hole conditional forwarding

Since I have multiple subnets, I needed to add PTR records so that I can perform reverse DNS lookups. Without these records, I was only able to perform lookups within the same network as my internal DNS server. In this case, it was only within the 192.168.100.0/24 network. To add more networks, create a file in the /etc/dnsmasq.d directory.

$ sudo vi /etc/dnsmasq.d/02-pihole.conf

server=/10.168.192.in-addr.arpa/192.168.100.155
server=/20.168.192.in-addr.arpa/192.168.100.155
server=/30.168.192.in-addr.arpa/192.168.100.155
server=/40.168.192.in-addr.arpa/192.168.100.155
server=/50.168.192.in-addr.arpa/192.168.100.155

After saving the file, make sure to restart the Pi-hole DNS service by issuing the sudo pihole restartdns command.

Pi-hole as internal DNS server

The easiest way to make Pi-hole as an internal DNS server is by making it the DHCP server for the network. A lot of people will opt for this option because it’s easy and automatic.

If you want to make your life harder, then adding entries to the host file is the other option. To edit the host file, use your favorite text editor and add host entries to /etc/hosts file. Below is an example of a host file I create for another home network that I have.

$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 pihole

192.168.80.151 	esxi03	esxi03.networkjutsu.local
192.168.80.1 	erx	erx.networkjutsu.local
192.168.80.100	unifi	unifi.networkjutsu.local	unifi-controller	unifi-controller.networkjutsu.local
192.168.80.101	nanohd	nanohd.networkjutsu.local

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

DNS resolution from another network

If you have multiple subnets, just like my environment, you will need to ensure that your Pi-hole interface listening behavior is correct. There might be an instance where the installation wizard sets it to Listen on all interfaces. With this setting, the Pi-hole ignores DNS queries from clients that are not in the same network as Pi-hole’s interface. Make sure to set it to Listen only on interface ens160 or Listen on all interfaces, permit all origins.

Alternatively, if you’re a CLI junkie, you can change this setting by editing /etc/pihole/setupVars.conf file. Below is my current setting.

$ cat /etc/pihole/setupVars.conf | grep DNSMASQ_LISTENING
DNSMASQ_LISTENING=single

If you want to know the Web UI equivalent, then use this table.

localListen on all interfaces
singleListen only on interface ens160
allListen on all interfaces, permit all origins

Adding more to the blocklist

While the built-in blocklist works great in blocking ads, there are other lists that you can add. Currently, I use some of the blocklists from The Firebog site. I need more time to test before adding more to the list. Additionally, I added Dshield’s suspicious domain list as well.

Client’s DNS configuration

Once you completed the Pi-hole configuration, you’re now ready to make changes to your DNS configuration. There are two approaches that you can take.

The first one is to change your router’s DNS configuration. I recommend using this route since it’s the easiest and fastest out of the two.

The second approach is to change the DHCP configuration settings to point to Pi-hole as the DNS server. This approach is slow since the DHCP timeout applies. To immediately take effect, clients will need to release and renew their DHCP lease.

Keeping it up to date

At this time of writing, the update mechanism is not available on the web UI. That said, you would have to use the CLI to update Pi-hole. To update, use the command below.

$  pihole -up
  [i] Checking for updates...
  [i] Pi-hole Core:	up to date
  [i] Web Interface:	up to date
  [i] FTL:		up to date

  [✓] Everything is up to date!

Pi-hole in action

Now that you’re finished with configurations, it’s time to see it in action. In the next few sections, I’m going to demonstrate the different types of scenarios to show the value of Pi-hole and ad blocker.

Scenario 1

No ad blocking

Here’s an example of a network without Pi-hole and a browser without uBlock Origin installed. As expected, advertisements are showing on the page.

Not blocking ads require more web requests

If you try it out yourself, you will notice that the page loads very slow. It is especially noticeable when you’re testing it using a low powered machine and not a very fast internet connection. With the use of developer tools, you will notice there are a lot of web requests.

Scenario 2

Using Pi-hole without uBlock Origin

Here’s an example of a network with Pi-hole and a browser without uBlock Origin installed. As expected, no advertisements are showing on the page.

Blocking ads with Pi-hole reduces web requests

If you try to load the page again, with cache disabled, you will notice that it loads very fast. It is because of the reduced number of web requests blocked by Pi-hole. In this scenario, we saved a whopping 758%!

Scenario 3

Using uBlock Origin only

Here’s an example of a network without Pi-hole and a browser with uBlock Origin installed. In this scenario, the browser add-on blocked the ads. However, it loaded the video player that we saw earlier but without the ads.

Blocking ads using uBlock Origin reduces number of web requests

Using uBlock Origin still saves us a lot of web requests. However, the number is not as high as the one shown earlier. Nevertheless, having the ad blocker reduced the number of web calls to 403%.

Scenario 4

Using both Pi-hole and uBlock Origin

Here’s an example of a network with Pi-hole and a browser with uBlock Origin installed. Visually, there’s no difference between this and the second scenario. However, inspecting with developer tools shows that there’s a slight difference.

Pi-hole and uBlock Origin further reduces the number of web requests

As you can see, it further reduced the number of requests compared to the second scenario. While not significant, having an ad blocker on your browser helps block ads and trackers not caught by Pi-hole.

An example of this is by visiting YouTube. If you turn off the ad blocker, the ads will load. Pi-hole cannot effectively block the ads because YouTube hosts both the content and advertisements on the same server.

Final Words

As discussed, blocking ads is no longer just to avoid seeing obnoxious images or videos. It’s also for avoiding malvertising and saving bandwidth. With the combination of Pi-hole and ad blocker, you will definitely accomplish those objectives.

If you like any of my posts, please consider buying me a coffee as a token of appreciation.

Disclosure

AndrewRoderos.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

VMware ESXi Home Lab – Intel NUC 10 (Frost Canyon)

by Leave a Comment

If you follow me on Instagram or Twitter, then you know that I recently installed VMware ESXi on Intel NUC 10 (Frost Canyon). It will join the existing hosts in my VMware ESXi home lab that I assembled in 2012 and 2016. While these hosts are old, they’re still useful for what they currently do. Eventually, I’m going to repurpose the ESXi 2012 build and will talk about it in a future post. The ESXi 2016 build will continue to host my current virtual servers and future lightweight servers. This new ESXi build will host VMs that require more oomph than the Core i3-based ESXi build. For example, CSR1000v, vMX, vQFX10K, etc.

Hardware

VMware ESXi on Intel NUC 10 (Frost Canyon)

I bought the majority of the parts during Black Friday and Cyber Monday, so I was able to minimize the cost a little bit. The NUC was a pre-order and the delivery date changed once or twice. Eventually, the order arrived a month later. Since I was traveling in Asia when it was delivered, I didn’t get to play with it until last week.

Here are the parts of this VMware ESXi build:

UPDATE: The VMware engineers responsible for the Fling USB NIC driver released the ne1000 driver offline bundle for the Intel NUC 10 (Frost Canyon). With that said, a lot of the steps covered here are no longer necessary. You do, however, still need to customize the ESXi ISO image.

Here’s the result of replacing the built-in ne1000 driver on the vanilla ESXi 6.7.0 ISO image.

[root@esxi03:~] esxcli network nic list
Name    PCI Device    Driver  Admin Status  Link Status  Speed  Duplex  MAC Address         MTU  Description
------  ------------  ------  ------------  -----------  -----  ------  -----------------  ----  -------------------------------------------------
vmnic0  0000:00:1f.6  ne1000  Up            Up            1000  Full    1c:69:7a:01:23:45  1500  Intel Corporation Ethernet Connection (10) I219-V

You might be wondering why did I buy the USB NIC. I found out that the built-in NIC on the NUC is a newer version of I219-V and it and is not currently on VMware’s hardware compatibility list. Without a recognized network adapter, I won’t be able to install ESXi on this NUC.

As you can see from the output below, the hardware version of the built-in NIC seems to be 10. Looking at the VMware HCL, the Intel Ethernet Connection (10) I219-V is not included on the list.

[root@esxi03:~] lspci -v | grep "I219-V" -A 1
0000:00:1f.6 Network controller Ethernet controller: Intel Corporation Ethernet Connection (10) I219-V
	 Class 0200: 8086:0d4f

Pre-installation

The installation process is not straight forward compared to other versions of Intel NUC. With the Frost Canyon NUC, you need to create a custom ISO that includes the USB NIC drivers. Fortunately, there’s a Fling USB driver created by VMware engineers.

Software

You’ll need to download and install some software before you can create a custom ESXi ISO image. Here are the tools that I loaded in my Windows 10 VM:

You don’t need to download the latest ESXi ISO since the ESXi-Customizer-PS will take care of it for you.

Creating a custom ESXi ISO image

Once you’ve completed the software download and install, then it’s time to create the custom ESXi ISO image. Follow all the steps in this section to successfully create the installation media.

Step 1 – Run Windows PowerShell

To run the software, click the Start Menu and look for Windows PowerShell. Once located, right-click it and click the Run as administrator. Once PowerShell window is up, issue the command as shown below.

Step 2 – Run ESXi-Customizer-PS

Now, you’re ready to create a custom ESXi ISO image. To create the ISO image, you need to issue the commands as shown below. This step assumes that the Fling USB ne1000 driver offline bundle is in the ESXi folder as well.

PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned
PS C:\Windows\system32> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
PS C:\Windows\System32> cd ~\Desktop\ESXi
PS C:\Users\Andrew\Desktop\ESXi> .\ESXi-Customizer-PS-v2.6.0.ps1 -pkgDir .\

Step 3 – Run Rufus

You’re now ready to create the USB installation media using Rufus. Launch Rufus and write the ISO image to your USB flash drive. Click the Start button. If you see a message about an obsolete version of ‘menu.c32’, then click the Yes button. You may see another pop-up window that’s warning you about data destruction, just hit OK to continue.

Creating VMware ESXi USB installation media

Modifying the BIOS settings

UPDATE: With the release of the ne1000 driver, this step is no longer necessary.

This step is necessary since you need to set the USB NIC as the primary network adapter. Using USB NIC as the primary network adapter means the settings do not persist, by default. To make it persistent, you’ll need to create a startup script. This is not allowed when Secure Boot is enabled. That said, you’ll want to disable the Secure Boot feature.

To disable the Secure Boot feature in the BIOS, power on the NUC and hit the F2 key once you see the Intel NUC logo. Once you’re in the BIOS, select the Boot tab and then Secure Boot. Under the Secure Boot menu, you should see the Secure Boot as enabled, disable it and save the changes.

Optional: While you’re in the BIOS, you may want to make sure that the Intel Virtualization Technology features are enabled. To verify, go to the Performance tab and select the Processor settings. You will now see multiple drop-down menus. Make sure that Intel Virtualization Technology and Intel VT for Directed I/IO (VT-d) are enabled. Save and exit the BIOS by hitting the F10 key.

Installing ESXi on 10th Gen Intel NUC

UPDATE: With the release of the ne1000 driver, the installation will go smoothly.

After all the pre-work that you’ve done, I’m sure you’ve been waiting for this step. The installation is straight forward, for the most part. The only hiccup that you will encounter is the installation gets stuck at 85%, and an error message appears. Don’t worry about being stuck at 85%. The ESXi install went through fine. Restart the NUC, and ESXi will boot properly.

Installing ESXi on Intel NUC (Frost Canyon)

Post-installation

UPDATE: With the release of the ne1000 driver, this section is no longer necessary.

Once ESXi is up and running, there are still some steps you will need to take before you can start firing up VMs. Follow these post-installation steps to make the USB NIC persistent.

Step 1 – Configure password

Unfortunately, the password that you set during the installation process won’t work. With that said, you will need to leave the password blank after hitting the F2 key. Once you’re in, you need to configure a password for your ESXi server. Go to the Configure Password settings. Leave the password blank for the Old Password section, then enter your new password.

Step 2 – Perform network restore

The next step is to perform a network restore. By doing this step, the system will recognize the network adapter. To perform a network restore, go to the Network Restore Options settings. Select the Restore Network Settings and hit the Enter key. It will ask you if you want to reset the network configuration, hit the F11 key for yes, and then hit the Enter key.

Once done, you need to log out of the system. Hit Esc key twice to log out. You will now see that the host has an IP address via DHCP. If your network does not have DHCP enabled, then it should get an APIPA address.

Step 3 – Configure the management network

This step is necessary if you want your server to use a static IP address. Log back in using the password that you set earlier. Then, go to Configure Management Network and then IPv4 Configuration settings. Select the static option and enter the IP address information. Once completed, make sure to apply the changes.

Feel free to change the hostname while you’re in this section as well.

Step 4 – Enable SSH

From time to time, I need to access CLI, so when I build an ESXi system, I usually enable SSH. There are two ways to enable SSH. One via the console and the other one is via the ESXi Embedded Host Client (Web UI).

Option 1 – Console

To enable using the console, go to Troubleshooting Options settings and select Enable SSH.

Option 2 – Host Client

Log into the Web UI using the IP address or DNS name. Once logged in, go to Actions > Services > Enable Secure Shell (SSH).

Step 5 – Add a script

As mentioned in the BIOS settings section, using USB NIC as the primary network adapter means the settings do not persist, by default. That said, you will need to add some lines to the /etc/rc.local.d/local.sh file.

The script that you need to add will depend on your virtual switch configuration. In my case, I use the Standard Virtual Switch in my environment. If you use Distributed Virtual Switch (VDS), then you can customize the one here.

ESXi has VI editor built-in, so you can use that to add the script. Insert the text before the exit 0 section, as shown below.

#!/bin/sh

# local configuration options

# Note: modify at your own risk!  If you do/use anything in this
# script that is not part of a stable API (relying on files to be in
# specific places, specific tools, specific output, etc) there is a
# possibility you will end up with a broken system after patching or
# upgrading.  Changes are not supported unless under direction of
# VMware support.

# Note: This script will not be run when UEFI secure boot is enabled.

vusb0_status=$(esxcli network nic get -n vusb0 | grep 'Link Status' | awk '{print $NF}')
count=0
while [[ $count -lt 20 && "${vusb0_status}" != "Up" ]]
do
    sleep 10
    count=$(( $count + 1 ))
    vusb0_status=$(esxcli network nic get -n vusb0 | grep 'Link Status' | awk '{print $NF}')
done

if [ "${vusb0_status}" = "Up" ]; then
    esxcfg-vswitch -L vusb0 vSwitch0
    esxcfg-vswitch -M vusb0 -p "Management Network" vSwitch0
    esxcfg-vswitch -M vusb0 -p "VM Network" vSwitch0
fi

exit 0

Verification

To verify that the script works, reboot your ESXi server. After a minute or so, you should be able to log back in.

In addition, you may want to create a VM to test network connectivity. In my case, I created a Ubuntu Linux Server edition to verify if the vNIC works correctly.

Final Words

VMware ESXi on Intel NUC 10 (Frost Canyon)

While there are a lot of hoops to jump through to get ESXi working on this Intel NUC 10 (Frost Canyon) with 10th generation Intel Core CPU, I still prefer this host compared to a Dell or HP used server. Sure, I’ll save more money acquiring them, but I don’t have space for it. In addition, they’re more power-hungry than the Intel NUC.

It’s worth noting that when the Intel NUC 8 (Bean Canyon) was released, people had to create a custom ISO as well. Eventually, VMware released updates to where the ISO included the Intel I219-V drivers. I’m hoping that VMware will release an update for this hardware revision as well. With the release of the ne1000 driver offline bundle, there may be a good chance that VMware will release an ISO with the driver.

You might like to read

Deploying vQFX on VMware ESXi
Deploying TACACS+ on a Docker container

If you like any of my posts, please consider buying me a coffee as a token of appreciation.

Disclosure

AndrewRoderos.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

Deploying TACACS+ on a Docker container

by Leave a Comment

tacacs+ docker container

Back in 2011, I wrote how to configure tac_plus (TACACS+ daemon) on an Ubuntu server. Then two years ago, I wrote a post about adding two-factor authentication (2FA) to TACACS+. Today, I’m going to talk about deploying TACACS+ on a Docker container.

While I’ve written migrating FreeRADIUS with 2FA to a Docker container post in the past, I’d still consider myself a newbie. I don’t deal with Docker daily to be well-versed.

Since I’m still a newbie, I make mistakes writing a Dockerfile and sometimes get stuck when the container keeps restarting. Part of the problem is I’m still learning Linux even though I’ve been using it for many years.

Another part is I have yet to sit down and read a book about Docker, like this one. The book has a high rating on Amazon and seems like a good buy if you’re trying to learn it.

Yes, I could download someone else’s Docker container. However, I don’t like doing that. When I write the Dockerfile from scratch, it forces me to learn both Docker and Linux.

Docker Installation

Before we can deploy a TACACS+ container, we need to install the Docker software. Docker’s documentation has the steps on how to do it on your preferred OS. For this tutorial, I’m using the Ubuntu Server 18.04 as my OS of choice.

andrew@networkjutsu:~$ sudo apt-get update
andrew@networkjutsu:~$ sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common -y
andrew@networkjutsu:~$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
andrew@networkjutsu:~$ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
andrew@networkjutsu:~$ sudo apt-get install docker-ce docker-ce-cli containerd.io -y
andrew@networkjutsu:~$ sudo apt autoremove -y
andrew@networkjutsu:~$ docker --version
Docker version 19.03.4, build 9013bf583a

Alternatively, we can install the Docker version that Ubuntu is using in their repo. Installing from Ubuntu’s repo is the easiest way to install Docker.

andrew@networkjutsu:~$ sudo apt install docker.io -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
<-- Output omitted for brevity -->
andrew@networkjutsu:~$ docker --version
Docker version 18.09.7, build 2d0083d

Docker Compose installation

I like to use the docker-compose command to run multiple containers in one syntax. That said, I have that installed on my Ubuntu server. This step is optional, but I highly recommend using it. If you have a different OS, then visit this page.

andrew@networkjutsu:~$ sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
andrew@networkjutsu$ sudo chmod +x /usr/local/bin/docker-compose
andrew@networkjutsu$ docker-compose --version
docker-compose version 1.24.1, build 4667896b

Dockerfile

I like to separate my files for each Docker containers that I want to deploy. That said, I create a new directory for each of them.

andrew@networkjutsu:~$ mkdir tacacs

Once I’ve created the directory, it’s time to write the Dockerfile. Since I’m more familiar with VIM than any other text editor on Linux, that’s what I use. Please feel free to use your favorite Linux text editor.

andrew@networkjutsu:~$ vi tacacs/Dockerfile

Once VIM is running, we can now write the contents of our Dockerfile. Here’s a sample of my TACACSC+ Dockerfile.

# Use Base Ubuntu image
FROM ubuntu:18.04

# Author of this Dockerfile
MAINTAINER Andrew Roderos <andrewroderos.com>

# Update & upgrades
RUN apt-get update && apt-get upgrade -y

# Install tacacs+ and Google Authenticator
RUN apt-get install tacacs+ libpam-google-authenticator -y

# Clear local repo
RUN apt-get clean

# Create a user with home directory
RUN useradd -m -d /home/andrew -s /bin/bash andrew

# Add password to andrew account
RUN echo "andrew:makemypasswordgreatagain" | chpasswd

# Copy Google secret key from host's volume to tacacs+ container
COPY .google_authenticator /home/andrew

# Change file owner
RUN chown andrew:andrew /home/andrew/.google_authenticator

# Copy tac_plus configuration file from host to the container
COPY tac_plus.conf /etc/tacacs+/tac_plus.conf

# Add tac_plus PAM
RUN touch /etc/pam.d/tac_plus
RUN echo auth requisite pam_google_authenticator.so forward_pass >> /etc/pam.d/tac_plus
RUN echo auth required pam_unix.so use_first_pass >> /etc/pam.d/tac_plus

# Run tac_plus as foreground process and use /etc/tacacas+/tac_plus.conf as the config file
CMD ["tac_plus", "-G", "-C", "/etc/tacacs+/tac_plus.conf"]

Preliminary steps

Before we can build the TACACS+ Docker container, we need to do some preliminary steps. As you can see from the Dockerfile, it will copy some files that I already have in the current directory. Without these files, the docker build command will error out.

Google Authenticator secret key

The first file we need is the .google_authenticator file. This file contains all the necessary parameters for our TOTP (Time-based One Time Password).

Since I use Google Authenticator at home, I just copied my existing file for this lab. If you don’t have one, you may want to generate one from another host. I covered the generation of the secret key in this post.

Once you’ve generated the secret key, we can now copy the .google_authenticator file in the home directory. Please copy it to the tacacs directory.

andrew@networkjutsu:~$ cp .google_authenticator tacacs

TACACS+ configuration file

The next file we need is the tac_plus.conf file. This file gets generated when you install tac_plus software. Since I’ve covered this topic before, I already have a configuration file that I can use. If you don’t have one, then you can use my configuration files from here and here.

If you do create this from scratch, make sure the owner and permissions are the same as the one below.

andrew@networkjutsu:~/tacacs$ ls -l tac_plus.conf
-rw------- 1 root root 3108 Nov 4 18:43 tac_plus.conf

Depending on how you create the file, the owner and permissions are different. For example, I created the tac_plus.conf file using a non-root account.

andrew@networkjutsu:~/tacacs$ ls -l tac_plus.conf
-rw-rw-r-- 1 networkjutsu networkjutsu 3108 Nov 4 20:41 tac_plus.conf

There are multiple options to fix this minor issue. One option is by deleting the file and recreating it using the root account.

andrew@networkjutsu:~/tacacs$ rm tac_plus.conf
andrew@networkjutsu:~/tacacs$ sudo vi tac_plus.conf
andrew@networkjutsu:~/tacacs$ sudo chmod 600 tac_plus.conf
andrew@networkjutsu:~/tacacs$ ls -l tac_plus.conf
-rw------- 1 root root 3108 Nov 4 20:44 tac_plus.conf

Another option is adding some lines to the Dockerfile to change the owner and permissions. Add the following lines after the COPY tac_plus.conf /etc/tacacs+/tac_plus.conf line.

# Change owner from andrew to root
RUN chown root:root /etc/tacacs+/tac_plus.conf

# Change permission to root only access
RUN chmod 600 /etc/tacacs+/tac_plus.conf

Creating a Docker image

Once done with the preliminary steps, we can now create our TACACS+ Docker image. Creating a Docker image is pretty straightforward. All we need to do is issue the command below.

andrew@networkjutsu:~/tacacs$ docker build -t tacacs .
Sending build context to Docker daemon  8.192kB
Step 1/14 : FROM ubuntu:18.04
 ---> 452a96d81c30
Step 2/14 : MAINTAINER Andrew Roderos <andrewroderos.com>
 ---> Using cache
 ---> 1c717e03db89
<-- Output omitted for brevity -->

Once the building process is done, you can verify that the Docker image is ready by issuing the command below.

andrew@networkjutsu:~/tacacs$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
tacacs              latest              32a7bc92b24a        2 minutes ago       205MB
radius              latest              c558d1437285        33 hours ago        248MB

Docker Compose

We’re now ready to run the Docker image. If you prefer to use docker run syntax, then feel free to use that one. I happen to like to use the docker-compose command when starting up Docker containers. That said, we need to edit my existing docker-compose.yml file before we can run the Docker container.

andrew@networkjutsu:~/tacacs$ vi ../docker-compose.yml

The file should look like the one below.

andrew@networkjutsu:~/tacacs$ cat ../docker-compose.yml
version: "3"
services:
  radius:
    container_name: radius
    image: radius
    ports:
    - "192.168.200.51:1812:1812/udp"
    - "192.168.200.51:1813:1813/udp"
    - "192.168.200.51:18120:18120/udp"
    environment:
    - VIRTUAL_HOST=radius.networkjutsu.local
    restart: always
    volumes:
    - /etc/timezone:/etc/timezone:ro
    - /etc/localtime:/etc/localtime:ro
  tacacs:
    container_name: tacacs
    image: tacacs
    ports:
    - "192.168.200.49:49:49/tcp"
    environment:
    - VIRTUAL_HOST=tacacs.networkjutsu.local
    restart: always
    volumes:
    - /etc/timezone:/etc/timezone:ro
    - /etc/localtime:/etc/localtime:ro

Now, we’re ready to run our TACACS+ Docker container.

andrew@networkjutsu:~$ docker-compose up -d
Creating tacacs ...
radius is up-to-date
Creating tacacs ... done
andrew@networkjutsu:~/tacacs$ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                                                                      NAMES
1a6eb28498d6        tacacs              "tac_plus -G -C /etc…"   14 seconds ago      Up 13 seconds       192.168.200.49:49->49/tcp                                                  tacacs
946d992dddb5        radius              "freeradius -f"          17 hours ago        Up 17 hours         192.168.200.51:1812-1813->1812-1813/udp, 192.168.200.51:18120->18120/udp   radius

If the status says Restarting, then that means there’s something wrong with the tac_plus.conf file or Dockerfile. You might have to spend some time troubleshooting if your config isn’t the same as mine.

Note: The instructions covered here are not recommended for production use since it’s running the container as root.

Verification

Once the Docker container is running, then we’re now ready to verify if our TACACS+ is working as expected. This step assumes that you already have an IOS device with a TACACS+ configuration. If you need a sample configuration, please check out my post.

R1 con0 is now available
Press RETURN to get started.
User Access Verification
Username: andrew
Password & verification code: makemypasswordgreatagain468792
R1>en
Password: makemypasswordgreatagain
R1#

Note: The example above was done using the CSR 1000v and may not represent what the prompt would look like on regular IOS-based devices.

Final Words

OS-level virtualization, such as Docker, offers a lot of advantages over server virtualization. One of the benefits of OS-level virtualization is that it consumes fewer system resources compared to VMs. It is the major reason why I run containers for my FreeRADIUS and TACACS+ services.

Additionally, if done right, it’s faster for me to deploy something on Docker than provisioning new VMs. Though, with the mistakes I’ve done in the past, I am sure I could’ve provisioned new VMs a lot faster.

Just because everyone is doing Docker containers, doesn’t mean you should follow suit. Make sure to weigh in the pros and cons of running services, such as TACACS+, on Docker.

You might like to read

VMware ESXi Home Lab – Intel NUC (Frost Canyon)
Blocking ads network-wide

If you like any of my posts, please consider buying me a coffee as a token of appreciation.

Disclosure

AndrewRoderos.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

Deploying vQFX on VMware ESXi

by Leave a Comment

Several weeks ago, I started deploying vQFX on our VMware ESXi lab environment. At this time of writing, Juniper still does not have OVA files for both PFE (Packet Forwarding Engine) and RE (Routing Engine). That means deploying vQFX10K is not as easy as the vMX and vSRX.

Since it took me a few tries, I thought I’d share the steps on how to deploy multiple vQFX10K instances on ESXi. I hope this tutorial will prevent you from pulling your hair out.

Deploying vQFX10K will help with your Juniper certification pursuit and other lab scenarios. However, I didn’t use it for my JNCIA-Junos. I mostly used vMX and vSRX for WebUI practice.

Hardware

I initially deployed the vQFX10K on a Dell PowerEdge R610 at work. It has two Intel X5677 (4c/8t) CPU and 128GB of RAM. The multiple vQFX10K instances have been running pretty smoothly on this hardware.

Related: VMware ESXi Home Lab – Intel NUC (Frost Canyon)

For this tutorial, I am running it on an older version of Intel NUC. Compared to the R610’s specs, this is quite an expensive kit. Even though the price is up there, I like it because of its small form factor.

I highly recommend it for people who have no space for used rack or tower servers. The 8th generation can go up to 64GB of RAM. Though, it’s not officially supported.

Software

I’m using VMware ESXi version 6.7.0 Update 3, which is running off an 8GB USB flash drive. I’ve been running ESXi off a USB flash since my 2012 ESXi build. It’s a great way to separate and maximize the datastore for VMs.

For this tutorial, I used vQFX10K 18.4R1 release for both PFE (Packet Forwarding Engine) and RE (Routing Engine). Both vQFX10K and vMX require us to deploy two separate VMs. The PFE is the data plane that is responsible for forwarding transit traffic. The RE is the control plane which is the brain of the platform.

Deployment Steps

In this tutorial, I will be deploying one vQFX10K instance. The steps to add more is the same. Some of the steps aren’t necessary if you need just one instance.

You may rearrange some of the steps discussed here. After all, this post is meant to serve as a guide.

Step 1 – Download vQFX10K

The first step is to grab copies of both vQFX10K PFE and RE Virtualbox files. These files are available via Juniper’s Software Download site. You will need a Juniper account if you don’t already have one. You may also need to request access to software downloads. I am not sure if it requires an active service contract. Since we are a Juniper customer, I was able to request access to download the files.

Once you’re on the software download site, you need to expand the Application Package section. You will need both the Vagrant Package for Virtualbox (VQFX10K PFE) and Vagrant Package for Virtualbox (VQFX10K Routing Engine) box files. At this time of writing, 18.4R1 release is the current version for evaluation.

Step 2 – vSwitch and Port Groups

My goal from the start was to create multiple instances of vMX and vQFX10K. That said, I needed to create a different vSwitch and port groups so it won’t conflict with existing VMs.

Creating a new standard vSwitch

To create a new vSwitch using ESXi host client, you need to click on Networking under the Navigator pane. There you will see multiple tabs like Port groups and Virtual switches. Click on the Virtual switches tab and click on the Add standard virtual switch. Use the same vSwitch settings below.

vSwitch

Creating a new port group

To create a new port group, you need to click on Port groups and click on the Add port group. You will need to create a new port group every time you want to add a new vQFX10K or vMX. This new port group is used to separate the L2 connectivity between the PFE and RE with other vQFX10K instances. Make sure to change the VLAN ID for the new VM instance.

port group

Step 3 – Upload box files to VMware ESXi

To upload both PFE and RE box files, you need to click on Storage under Navigator pane. There you will see multiple tabs like Datastores and Adapters. Click on the Datastore browser and select your desired datastore and upload both box files.

Step 4 – Extract VMDK file

Once the upload of both PFE and RE box files is complete, you need to extract the VMDK files. To do this, you need to use the tar command to unpack the files.

Note: This assumes that you have SSH enabled on your ESXi server.

[andrew@esxi02:~] cd /vmfs/volumes/nfs1/
[andrew@esxi02:/vmfs/volumes/nfs1] mkdir vQFX-PFE
[andrew@esxi02:/vmfs/volumes/nfs1] mkdir vQFX-RE
[andrew@esxi02:/vmfs/volumes/nfs1] tar -zxf vqfx-18.4R1.8-pfe-virtualbox.gz -C vQFX-PFE
[andrew@esxi02:/vmfs/volumes/nfs1] tar -zxf vqfx-18.4R1.8-re-virtualbox.gz -C vQFX-RE
[andrew@esxi02:/vmfs/volumes/nfs1] ls -l vQFX*
vQFX-PFE:
total 1048364
-rw-r--r--    1 501      20             258 Mar 12  2018 Vagrantfile
-rw-r-----    1 501      20            9538 Mar 12  2018 box.ovf
-rw-r--r--    1 501      20              26 Mar 12  2018 metadata.json
-rw-rw----    1 501      20       1073497600 Mar 12  2018 packer-virtualbox-ovf-1520878605-disk001.vmdk

vQFX-RE:
total 438916
-rw-r--r--    1 501      20             258 Jan 11  2019 Vagrantfile
-rw-r--r--    1 501      20           13256 Jan 11  2019 box.ovf
-rw-r--r--    1 501      20              26 Jan 11  2019 metadata.json
-rw-r--r--    1 501      20       449420800 Jan 11  2019 packer-virtualbox-ovf-1547241286-disk001.vmdk

Optional: Rename the VMDK files.

I like to rename the VMDK files so they’re more descriptive.

[andrew@esxi02:/vmfs/volumes/nfs1] mkdir vQFX-RE01
[andrew@esxi02:/vmfs/volumes/nfs1] mv vQFX-RE/packer-virtualbox-ovf-1547241286-disk001.vmdk vQFX-RE/vqfx-re.vmdk
[andrew@esxi02:/vmfs/volumes/nfs1] mv vQFX-PFE/packer-virtualbox-ovf-1520878605-disk001.vmdk vQFX-PFE/vqfx-pfe.vmdk
[andrew@esxi02:/vmfs/volumes/nfs1] ls -l vQFX* | grep .vmdk
-rw-rw----    1 501      20       1073497600 Mar 12  2018 vqfx-pfe.vmdk
-rw-r--r--    1 501      20       449420800 Jan 11  2019 vqfx-re.vmdk

Step 5 – Create vQFX10K RE instance

Before you can create a RE instance, you need to do some preliminary steps.

5.1 Create a directory

The first step is to create a directory where we want our VM files to reside. In this case, I created a vQFX-RE01 in my NFS1 datastore.

[andrew@esxi02:/vmfs/volumes/nfs1] mkdir vQFX-RE01

5.2 Convert VMDK file

The next step is to convert the VMDK file to thin provisioned.

[andrew@esxi02:/vmfs/volumes/nfs1] vmkfstools -i vQFX-RE/vqfx-re.vmdk -d thin vQFX-RE01/vqfx-re.vmdk
Destination disk format: VMFS thin-provisioned
Cloning disk 'vQFX-RE/vqfx-re.vmdk'...
Clone: 100% done.

5.3 View OVF file

Next, you need to know the specs to deploy the VM instance. You can do this by viewing the OVF file.

[andrew@esxi02:/vmfs/volumes/nfs1] cat vQFX-RE/box.ovf | grep -E '(CPU|memory|OSType)'
      <vbox:OSType ovf:required="false">FreeBSD</vbox:OSType>
        <rasd:Caption>1 virtual CPU</rasd:Caption>
        <rasd:Description>Number of virtual CPUs</rasd:Description>
        <rasd:ElementName>1 virtual CPU</rasd:ElementName>
        <rasd:Caption>1024 MB of memory</rasd:Caption>
        <rasd:ElementName>1024 MB of memory</rasd:ElementName>
    <vbox:Machine ovf:required="false" version="1.15-macosx" uuid="{d3e98788-7b29-473d-a2cf-879962f7a893}" name="packer-virtualbox-ovf-1547241286" OSType="FreeBSD" snapshotFolder="Snapshots" lastStateChange="2019-01-11T21:30:41Z">
        <CPU>
        </CPU>

As you can see, you’ll need 1 x vCPU, 1GB of RAM, and FreeBSD as the OS type. With this information, you’re now ready to deploy the vQFX10K RE VM.

5.4 Create vQFX10K RE VM

To create vQFX10K RE VM, you need to click on Virtual Machines under Navigation pane and click on the Create / Register VM. ESXi will present you with a new virtual machine window. Just hit the Next button since the Create a new virtual machine is selected, by default.

The next window will ask you the name of the VM, compatibility, guest OS family, and guest OS version. Use the following settings from the screenshot below.

RE VM name

Next, ESXi is going to ask which datastore you want your VM to reside. If you only have one, then hit Next. If you have multiple datastores, then select the one you want to use and hit the Next button.

The next window is where you can customize the settings for your RE VM instance. There are multiple settings that you’re going to change here.

The first setting you’re going to change is the hard disk. You need to remove the preconfigured virtual disk and replace it with the cloned VMDK file. Replace the Controller location setting to IDE controller 0.

RE virtual disk

The next setting you’re going to change is the network adapters. For the first network adapter, select the proper port group that you want to use. This vNIC is for the out-of-band management interface.

After configuring the first network adapter, you now need to add a second network adapter. This vNIC is for the L2 connectivity between RE and PFE.

Note: Make sure to select the E1000 network adapter type for both vNICs.

RE network adapters

Optional: If you’re using ESXi Enterprise Plus, you can add a serial port device, which allows you to console into the VM without logging into ESXi. This step assumes that ESXi is configured to accept the connection.

RE serial port

Step 6 – Create vQFX10K PFE instance

The steps to create the PFE VM instance is pretty much the same as the RE VM instance. For completeness sake, I am going to demonstrate so you can follow along.

6.1 Create a directory

The first step is to create a directory where we want our VM files to reside. In this case, I created a vQFX-PFE01 in my NFS1 datastore.

[andrew@esxi02:/vmfs/volumes/nfs1] mkdir vQFX-PFE01

6.2 Convert VMDK file

The next step is to convert the VMDK file to thin provisioned.

[andrew@esxi02:/vmfs/volumes/nfs1] vmkfstools -i vQFX-PFE/vqfx-pfe.vmdk -d thin vQFX-PFE01/vqfx-pfe.vmdk
Destination disk format: VMFS thin-provisioned
Cloning disk 'vQFX-PFE/vqfx-pfe.vmdk'...
Clone: 100% done.

6.3 View OVF file

Next, you need to know the specs to deploy the VM instance. You can do this by viewing the OVF file.

[andrew@esxi02:/vmfs/volumes/nfs1] cat vQFX-PFE/box.ovf | grep -E '(CPU|memory|OSType)'
      <vbox:OSType ovf:required="false">Ubuntu_64</vbox:OSType>
        <rasd:Caption>1 virtual CPU</rasd:Caption>
        <rasd:Description>Number of virtual CPUs</rasd:Description>
        <rasd:ElementName>1 virtual CPU</rasd:ElementName>
        <rasd:Caption>2048 MB of memory</rasd:Caption>
        <rasd:ElementName>2048 MB of memory</rasd:ElementName>
    <vbox:Machine ovf:required="false" version="1.16-macosx" uuid="{56cc6edd-6efe-4c8e-ad21-cd14fe5798be}" name="packer-virtualbox-ovf-1520878605" OSType="Ubuntu_64" snapshotFolder="Snapshots" lastStateChange="2018-03-12T18:17:47Z">
        <CPU>
        </CPU>

As you can see, you’ll need 1 x vCPU, 2GB of RAM, and Ubuntu 64-bit as the OS type. With this information, you’re now ready to deploy the vQFX10K PFE VM.

6.4 Create vQFX10K PFE VM

To create vQFX10K PFE VM, you need to click on Virtual Machines under Navigation pane and click on the Create / Register VM. ESXi will present you with a new virtual machine window. Just hit the Next button since the Create a new virtual machine is selected, by default.

The next window will ask you the name of the VM, compatibility, guest OS family, and guest OS version. Use the following settings from the screenshot below.

PFE VM name

Next, ESXi is going to ask which datastore you want your VM to reside. If you only have one, then hit Next. If you have multiple datastores, then select the proper one and hit the Next button.

The next window is where you can customize the settings for your PFE VM instance. There are multiple settings that you’re going to be changing here. The first setting you’re going to change is the hard disk. You need to remove the preconfigured virtual disk and replace it with the cloned VMDK file. Replace the Controller location setting to IDE controller 0.

PFE virtual disk

The next setting you’re going to change is the network adapters. For the first network adapter, select the proper port group that you want to use. This vNIC is for the out-of-band management interface.

After configuring the first network adapter, you now need to add a second network adapter. This vNIC is for the L2 connectivity between RE and PFE.

Next, you’ll need to add a few more network adapters. These network adapters are what some folks will call revenue ports. As you can see, I only added four network adapters. You can add more if you want.

Note: Make sure all your network adapters are using E1000 as the adapter type.

PFE network adapters

Optional: Add a serial port device to the PFE VM.

PFE serial port

Step 7 – Power on VMs

To power on the VMs, you can select both of them and turn them on at the same time.

Once the RE VM is finished booting, then you should see something like this.

RE fully boot

Now, if you turn your attention to the PFE VM, you’ll notice that the PFE VM appears to be stuck.

PFE fully boot

However, if you try to access it via the serial port device, then you will see it’s actually in a good state. Don’t worry if you’re not running Enterprise Plus license since you can verify the state of the PFE VM later.

PFE serial console

Note: If you want to log into the vQFX10K PFE VM, then use the root/no credentials. Though, you don’t ordinarily need to log into this VM. If you’re concerned about security, you may want to change the password.

Step 8 – Logging in

I like to log in via the serial port, so I use the telnet command to interact with the VM. Alternatively, you can use ESXi/vSphere/Fusion to interact with the vQFX10K RE VM. Use root/Juniper credentials to log in.

andrew@networkjutsu$ telnet esxi02 5001
Trying 192.168.100.102...
Connected to esxi02.networkjutsu.local.
Escape character is '^]'.


vqfx-re (ttyd0)

login: root
Password: Juniper

--- JUNOS 18.4R1.8 built 2018-12-17 03:30:15 UTC

root@vqfx-re:RE:0%

Step 9 – Verify RE and PFE connectivity

Once logged in, you may want to verify that the RE and PFE can communicate with each other via the internal bridge. This internal bridge is using the vQFX01 port group that you created earlier.

root@vqfx-re:RE:0% cli
{master:0}
root@vqfx-re> show chassis fpc
                     Temp  CPU Utilization (%)   CPU Utilization (%)  Memory    Utilization (%)
Slot State            (C)  Total  Interrupt      1min   5min   15min  DRAM (MB) Heap     Buffer
  0  Online           Testing   1         0        0      0      0    1024        0         84
  1  Empty
  2  Empty
  3  Empty
  4  Empty
  5  Empty
  6  Empty
  7  Empty
  8  Empty
  9  Empty

Another way to verify that the RE can communicate with the PFE is by checking to see what revenue ports are available. Since I only added four network adapters on the PFE VM, then the only usable ports are from xe-0/0/0 to xe-0/0/3.

root@vqfx-re> show interfaces terse | match xe
xe-0/0/0                up    up
xe-0/0/0.0              up    up   inet
xe-0/0/1                up    up
xe-0/0/1.0              up    up   inet
xe-0/0/2                up    up
xe-0/0/2.0              up    up   inet
xe-0/0/3                up    up
xe-0/0/3.0              up    up   inet
xe-0/0/4                up    up
xe-0/0/4.0              up    up   inet
xe-0/0/5                up    up
xe-0/0/5.0              up    up   inet
xe-0/0/6                up    up
xe-0/0/6.0              up    up   inet
xe-0/0/7                up    up
xe-0/0/7.0              up    up   inet
xe-0/0/8                up    up
xe-0/0/8.0              up    up   inet
xe-0/0/9                up    up
xe-0/0/9.0              up    up   inet
xe-0/0/10               up    up
xe-0/0/10.0             up    up   inet
xe-0/0/11               up    up
xe-0/0/11.0             up    up   inet

Step 10 – Device management

The out-of-band management interface names vary from one platform to another. For the vQFX10K, the out-of-band management interface is em0.

By default, the em0 interface has DHCP enabled. Depending on your network, you may have to disable DHCP and assign a static IP address. In my case, the em0 is in a VLAN where DHCP is disabled.

To statically assign an IP address on the management interface, use the following command.

root@vqfx-re> configure
Entering configuration mode

{master:0}[edit]
root@vqfx-re# edit interfaces em0

{master:0}[edit interfaces em0]
root@vqfx-re# delete unit 0 family inet dhcp

{master:0}[edit interfaces em0]
root@vqfx-re# set unit 0 family inet address 192.168.1.60/24

{master:0}[edit interfaces em0]
root@vqfx-re# commit
configuration check succeeds
commit complete

Verify that it’s working properly by pinging from a host within the same network.

andrew@networkjutsu$ ping 192.168.1.60 -c 2
PING 192.168.1.60 (192.168.1.60): 56 data bytes
64 bytes from 192.168.1.60: icmp_seq=0 ttl=63 time=24.013 ms
64 bytes from 192.168.1.60: icmp_seq=1 ttl=63 time=29.325 ms

--- 192.168.1.60 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 24.013/26.669/29.325/2.656 ms

Dedicated management VRF

If you want to reach the out-of-band management from a different network, then you need to create a separate routing instance. By default, there is no clear separation between out-of-band management and in-band traffic.

To enable a dedicated management virtual routing and forwarding (VRF) instance, use the command below. This command will use the dedicated mgmt_junos management instance, which is reserved and hardcoded.

{master:0}[edit interfaces em0]
root@vqfx-re# top

{master:0}[edit]
root@vqfx-re# set system management-instance

Once you commit the change, Junos OS will automatically add the routing instance.

{master:0}[edit]
root@vqfx-re# commit
configuration check succeeds
commit complete

{master:0}[edit]
root@vqfx-re# run show route all | match mgmt_junos

mgmt_junos.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)

Now, you’re ready to add a static route for the management VRF. It will allow you to reach the management interface from another network. In this scenario, I’ve added just the 192.168.0.0/16 network. Alternatively, you could add 0.0.0.0.

{master:0}[edit]
root@vqfx-re# set routing-instances mgmt_junos routing-options static route 192.168.0.0/16 next-hop 192.168.1.1

{master:0}[edit]
root@vqfx-re# commit
configuration check succeeds
commit complete

You can verify by pinging a host on another network from your vQFX instance. When the verification of connectivity is successful, then you’re ready to play with your vQFX10K.

{master:0}[edit]
root@vqfx-re# run ping 192.168.100.250 routing-instance mgmt_junos count 2
PING 192.168.100.200 (192.168.100.250): 56 data bytes
64 bytes from 192.168.100.250: icmp_seq=0 ttl=63 time=0.744 ms
64 bytes from 192.168.100.250: icmp_seq=1 ttl=63 time=0.630 ms

--- 192.168.100.200 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.630/0.687/0.744/0.057 ms

Final Thoughts

As demonstrated, deploying vQFX10K is a little more involved than vSRX or vMX. If you’re trying to study for the JNCIA-Junos exam, then you may want to stick with vSRX. You’ll save time by using the OVA file. On top of that, it’s only one VM to deploy.

If you’re studying for a higher-level Juniper cert exam, then you’ll probably want to deploy vQFX VM(s). The vQFX10K will allow you to practice switching related commands that will aid in passing the test.

You might like to read

Passed JNCIA-Junos – My First Juniper Certification

If you like any of my posts, please consider buying me a coffee as a token of appreciation.

Disclosure

AndrewRoderos.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

Passed JNCIA-Junos – My First Juniper Certification

by Leave a Comment

I recently passed the JNCIA-Junos certification exam. It is my first Juniper certification and maybe the last. However, I haven’t completely ruled out pursuing a higher-level Juniper certification.

jncia

Exam Details

The JNCIA-Junos exam I took has an exam code of JN0-102. This exam is one of Juniper’s entry-level certifications. In the Cisco world, this will be the CCENT equivalent. Though, in February 2020, Cisco will release its new entry-level certification called Cisco Certified Technician (CCT).

Here are some details about the exam:

  • 65 multiple-choice questions
  • 90 minutes to finish the exam
  • Take the exam at an authorized testing center or in your own home
  • Can skip and go back to the questions.
  • Can flag questions for review.
  • The passing score is quite low, so it’s easy to pass the exam.

Exam Objectives

Both Cisco and Juniper expect you to know networking fundamentals, so be sure you know it by heart. The fundamentals will include topics like subnetting, IPv4 and IPv6 addressing, binary to decimal conversion, etc.

For obvious reasons, Juniper wants you to know your way around the Junos OS. That said, you will also need to learn the OS fundamentals. Junos OS is quite different compared to Cisco IOS or NX-OS. It may take some time for someone who is a Cisco user to get used to it.

To view the exam objectives, then click here.

Preparation

I attended a three-day IJOS virtual class to spend our Juniper training credits since it was almost expiring. I also signed up for the JIR virtual class. Before these classes, we also attended a customized ADCX class for our organization.

On top of all these classes, we manage QFX and EX switches, and different models of MX routers. In short, I’m familiar with Junos OS but lack the fundamentals.

To practice Junos OS commands, I spun up some vSRX and vMX virtual machines on my ESXi server. Both of my ESXi servers are old, but they still serve my needs thus far. If you are interested in a small server, then you may want to check my newest ESXi build. Otherwise, any used decent server on eBay will do the job.

Related: Deploying vQFX on VMware ESXi

Additionally, I used Junos Genius before taking the exam. There are two available JNCIA-Junos practice exams. I took both of them and passed on each attempt.

If you are unable to attend the IJOS class, I suggest you sign up for the free JNCIA-Junos class via the Juniper Open Learning program. It fills up quickly, so make sure to check often. The program also includes a free exam voucher ($200 value) if you complete the class and pass a practice exam.

Unfortunately, not everyone will be able to attend the class. If you missed the registration period, then you can wait for another schedule to come up. If you’re on a tight schedule, then read some old books like Junos Enterprise Routing and Junos Enterprise Switching.

Alternatively, you can download these two-part old study guides. Juniper Networks published these study guides for learners who were in the defunct Fast Track Program. Both the study guides cover the majority of the JNCIA-Junos exam, except for IPv6 fundamentals.

Exam Experience

It’s a breath of fresh air to be able to skip, go back, and review questions during the exam. It has been a while since I’ve seen that in a certification exam. Though, I didn’t use it since I felt confident with my answers, for the most part.

The Junos Genius practice tests were helpful to gauge my exam readiness. I will admit that, psychologically, it made me feel confident that I will pass the exam on my first attempt. In fact, I rescheduled my exam a week earlier than the original date.

I originally scheduled my exam on September 27th. On the week of September 16th, I decided to reschedule it to September 20th. I would’ve rescheduled it earlier, but there weren’t many available slots left. I was hesitant to try the online proctored exam option, where you can take the exam in the comfort of your home or office.

View this post on Instagram

Passed JNCIA-Junos exam. Not a hard exam.

A post shared by Andrew Roderos (@andrewroderos) on

The exam wasn’t hard in my opinion. I finished it in less than 35 minutes if I recall correctly. I don’t think I’ve ever finished a certification exam that quick!

Final Thoughts

I’ve had a slight interest in the Juniper certification program in the past. However, I felt that it would’ve been a waste of time and money since my former employers didn’t have a single Juniper device.

If I hadn’t received a free exam voucher, there is a high probability that I wouldn’t have taken the exam. Having the voucher was a good enough excuse for me to take the exam and make a comparison to Cisco.

Overall, I think the JNCIA-Junos certification has some room for improvement. To me, JNCIA-Junos certification is quite easy to achieve. With a low passing score of around 60%, it’s almost as if they’re giving it away. Is it possible it was designed to lure networking professionals to Juniper’s product and service offerings?

What do you think? Let me know in the comments section below.

You might like to read

Deploying vQFX on VMware ESXi
VMware ESXi Home Lab – Intel NUC (Frost Canyon)

If you like any of my posts, please consider buying me a coffee as a token of appreciation.

Disclosure

AndrewRoderos.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.