"Nor can goodness and Evil be equal. Repel (Evil) with what is better: Then will he between whom and thee was hatred become as it were thy friend and intimate!" – Qur'an 41:34
VCP-NV (VMware Certified Professional – Network Virtualization) certification. I did VCP-NV this month and here are my ‘few’ words about it based on my little knowledge 🙂 .
Just to recap.. VMware vSphere provides two virtual switches – standard vSwitch and vSphere Distributed Switch (VDS). Standard vSwitch is created/managed at per host (ESXi host) level. Distributed Switch is created at vCenter level and the same can be deployed to all the host(s) managed by the vCenter. It is like create once and deploy the same across all the hosts in the cluster. Distributed Switch needs Enterprise plus license and comes with lot more features than standard vSwitch.
Though there is already virtual switches present in the vSphere product, it does not provide actual/complete network virtualization. It is required to depend on the physical devices change (For e.g. a new network (VLAN) is created). Also traffic between two networks needs to go to physical network and comes back to ESXi host even though both the networks are residing in the same ESXi host. There are many usecases like this. There were missing items in VMware vSphere environment to fill in SDN/overlay technologies.
VMware did good decision, (I think so), to acquire Nicira and there comes network virtualization platform “VMware NSX“. VMware NSX comes in two flavours NSX-v (for vSphere environment) and NSX-mh (for multihypervisor environment). This certification covers only NSX-v.
I skipped VCA-NV and directly did VCP-NV as I have a valid Cisco certification currently (See Path 3 from VCP-NV certification page).
“Path 3: Valid CCNA Data Center or CCNA Routing & Switching or CCNP Data Center or CCNP Routing & Switching certification or CCIE Data Center or CCIE Routing & Switching. Note: This path is only available until January 31, 2016” – from VMware VCP-NV page
Hi! My last post gives an overview about how to prepare for JNCIA certification and get started with Junos OS. This post is for the people who are looking to get some hands on with Junos OS devices.
If you do not have access to real physical Juniper devices, you can try Juniper Networks’s vSRX (formely known as Firefly Perimeter) virtual firewall.
Download and deploy the virtual appliance in VMware ESXi
You can download (evaluation download) vSRX VMware/KVM virtual appliance here. Please refer vSRX documentation to know about vSRX, its features, download/install instructions and initial configuration etc.
In this post, I intend to introduce vSRX to those who have not heard about it ( I think I am already done 🙂 ) and like to discuss how to setup simple OSPF topology with the vSRX deployed inside the VMware ESXi host.
Topology
Three vSRX VMs and OSPF is running in the vSRX.
The above screenshot is taken from Junos Space Network Management Platform’s Network Monitoring topology (Powered by OpenNMS).
Setup
Three vSRX virtual appliances have been deployed in ESXi hosts.
sulaiman_fp1_10
sulaiman_fp2_11
sulaiman_fp3_12
I have added one extra vNIC on all the vSRXs. By default it comes with 2 vNICs. You can add up to 10 vNICs.
I used ge-0/0/0.0 interface as management interface on all the vSRX and hence the Network Adapter 1 (ge-0/0/0.0 interface) is assigned to the port-group configured in the vSphere Standard Switch which has uplink to physical switch.
All the initial configuration on the vSRX is done (i.e root password, default static route etc.) Please refer above documentation link if you have difficulty in setting up the initial configuration.
VMware Standard Switch
vSphere has many types of virtual switches (i.e Standard Switch, Distributed Switch and NSX Logical switch)
To form a OSPF topology with three network segments as show in above topology, I have used Standard Switch by creating three vSwitches and configured one port-group each in it.
You can also create a single vSwitch and configure three port-groups with different VLAN ID.
The remaining network adapters of vSRX are assigned to appropriate port-group based on the network segments (See below).
There are no uplinks required for these port-groups as traffic between these network segments will never leave the host (hypervisor). vSRX will route traffic between them!
10.10.10.0/24 Between sulaiman_fp1_10 (ge-0/0/1.0) and sulaiman_fp2_11 (ge-0/0/1.0)
172.16.0.0/24 Between sulaiman_fp1_10 (ge-0/0/2.0) and sulaiman_fp3_12 (ge-0/0/1.0)
172.31.0.0/24 Between sulaiman_fp2_11 (ge-0/0/2.0) and sulaiman_fp3_12 (ge-0/0/2.0)
Interface configuration snippet
sulaiman_fp1_10
root@sulaiman_fp1_10> show version
Hostname: sulaiman_fp1_10
Model: firefly-perimeter
JUNOS Software Release [12.1X47-D20.7]
root@sulaiman_fp1_10> show configuration | display set | match "unit 0"
set interfaces ge-0/0/0 unit 0 family inet address 10.155.80.10/20
set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.10/24
set interfaces ge-0/0/2 unit 0 family inet address 172.16.0.10/24
set interfaces lo0 unit 0 family inet address 1.1.1.1/32
sulaiman_fp2_11
root@sulaiman_fp2_11> show configuration | display set | match "unit 0"
set interfaces ge-0/0/0 unit 0 family inet address 10.155.80.11/20
set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.11/24
set interfaces ge-0/0/2 unit 0 family inet address 172.31.0.11/24
set interfaces lo0 unit 0 family inet address 2.2.2.2/32
sulaiman_fp3_12
root@sulaiman_fb3_12> show configuration | display set | match "unit 0"
set interfaces ge-0/0/0 unit 0 family inet address 10.155.80.12/20
set interfaces ge-0/0/1 unit 0 family inet address 172.16.0.12/24
set interfaces ge-0/0/2 unit 0 family inet address 172.31.0.12/24
set interfaces lo0 unit 0 family inet address 3.3.3.3/32
IMPORTANT: vSRX is firewall, so configure security-zones and allow needed traffic between the zones. If you do not require vSRX to run in flow mode, you can disable the flow mode.
Sample configuration snippet to configure security-zones
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic protocols ospf
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services any-service
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services any-service
set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services any-service
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services snmp
Above snippet should be self explanatory. Most of the configuration will comes as default factory settings. You can see management interface ge-0/0/0.0 is bound to untrust zone and only the management related traffic is enabled. Pay attention to this config if you find something is not working in your environment.
Configure single area OSPF
It is very straightforward!
root@sulaiman_fp1_10> show configuration | display set | match ospf
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 passive
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0
set protocols ospf area 0.0.0.0 interface ge-0/0/2.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set security zones security-zone trust host-inbound-traffic protocols ospf
Note: ge-0/0/0.0 and loopback interface is configured as passive OSPF interface. Loopback address will be the router-id.
root@sulaiman_fp1_10> show ospf neighbor
Address Interface State ID Pri Dead
10.10.10.11 ge-0/0/1.0 Full 2.2.2.2 128 38
172.16.0.12 ge-0/0/2.0 Full 3.3.3.3 128 33
root@sulaiman_fp2_11> show ospf neighbor
Address Interface State ID Pri Dead
10.10.10.10 ge-0/0/1.0 Full 1.1.1.1 128 36
172.31.0.12 ge-0/0/2.0 Full 3.3.3.3 128 33
root@sulaiman_fb3_12> show ospf neighbor
Address Interface State ID Pri Dead
172.16.0.10 ge-0/0/1.0 Full 1.1.1.1 128 39
172.31.0.11 ge-0/0/2.0 Full 2.2.2.2 128 34
root@sulaiman_fb3_12> show route protocol ospf
inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.1.1.1/32 *[OSPF/10] 3w0d 18:00:17, metric 1
> to 172.16.0.10 via ge-0/0/1.0
2.2.2.2/32 *[OSPF/10] 3w0d 18:00:07, metric 1
> to 172.31.0.11 via ge-0/0/2.0
10.10.10.0/24 *[OSPF/10] 3w0d 18:00:07, metric 2
> to 172.16.0.10 via ge-0/0/1.0
to 172.31.0.11 via ge-0/0/2.0
224.0.0.5/32 *[OSPF/10] 3w0d 18:01:32, metric 1
MultiRecv
root@sulaiman_fb3_12> ping 10.10.10.11
PING 10.10.10.11 (10.10.10.11): 56 data bytes
64 bytes from 10.10.10.11: icmp_seq=0 ttl=63 time=10.338 ms
64 bytes from 10.10.10.11: icmp_seq=1 ttl=63 time=10.426 ms
^C
--- 10.10.10.11 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 10.338/10.382/10.426/0.044 ms
Configure LLDP
In the topology diagram shown above, in addition to OSPF link, LLDP links also got discovered. To configure LLDP
root@sulaiman_fp1_10> show configuration | display set | match lldp
set protocols lldp interface ge-0/0/1.0
set protocols lldp interface ge-0/0/2.0
root@sulaiman_fp1_10> show lldp neighbors
Local Interface Parent Interface Chassis Id Port info System Name
ge-0/0/1.0 - 4c:96:14:3e:12:80 ge-0/0/1.0 sulaiman_fp2_11
ge-0/0/2.0 - 4c:96:14:78:91:80 ge-0/0/1.0 sulaiman_fb3_12
Hope you find this post useful! Enjoy Network Virtualization!
Bonus Tips: If you have prior experience in ScreenOS, you can take a web based training “Junos as a Security Language”
If you find any errors in the post, please contact me. I will be happy to correct it.
It has been long time since I wrote certification exam. The last one I did was SCJP 1.4 (Java Certification in 2007).
My work is based on Network Management System (NMS), I was planning to give some network certifications for many years but could not do it due to work/family/masters degree commitments…
To start on this plan, I did CCNA R&S on February 2015 and JNCIA on April 2015. Alhamdulillah.
Here are details about my JNCIA preparation which might help someone.
Take a look at Juniper Networks fast track certification program Click here
The syllabus of JNCIA (Junos) is not heavy as CCNA. JNCIA (Junos) is the first level certification and it is the Pre-requisite for all other Juniper Networks certifications.
Junos OS – You will love the beauty of Juniper Networks Junos OS CLI and its cool features!
Routing Fundamentals
Routing Policy
Firewall Filters – Like Access list in Cisco IOS
How did I prepare for this exam ?
#1) Take Juniper Networks Web Based Training (Free)
Networking Fundamentals – WBT – It is worth taking this self paced training. It will help review the network fundamentals. Even if you are CCNA certificated, this training will help review basics.
#5) Take pre-assessment exam to get exam discount (you will get 50% exam discount voucher). You can take pre-assessment exam as many as times you like.
#6) If you have Android/iPhone/iPad device, download Junos Genius App and practice the questions in it.
#7) If you find difficult to answer questions from any of the topics, then study those topics alone from old jncia study guide pdf. I had difficulty in understanding Routing Policy, so I just study that chapter alone from this study guide.
You may need an account to download/view any of the above resources, so register for a login. It is again free :-).
Exam fee of JNCIA is 100$ and you will get 50% discount on successful pre-assesment exam. So fee will be 50$.
That’s it. You are good to go. Book JNCIA exam and get JNCIA certified 🙂
Bonus Tips: If you need hands on experience in Junos device, you can download Juniper vSRX and deploy it in VMware ESXi/KVM. Enjoy practicing Junos OS CLI!