This article is part of a bigger document that I wrote for myself with notes about Cisco ACI, Openshift, HP Synergy, 3PAR integration and contains the part I found most challenging considering I learned it from 0 in a rather constraining time interval and with some pressure.
As such I felt the need to document it and do a sort of braindump in order to avoid reinventing the wheel in the future in case I start forgetting.
You know those moments when you need to connect to a corporate VPN and all the steps and clicks are just getting terribly annoying? Well I went through the same phase and decided to write something to make my life a tad easier.
As this is rather a draft version nothing will block the user from interfering. As such, if you want it to work successfully then please do not click around or do any action while the script is running in order to not change the focus of the window where it is doing its magic.
I’ll keep this one simple and put here two schemas that I found on the Internet for the concept of redo and undo logs in Oracle. I don’t know about other people but I work must easier with schemas and a few words rather than 100 pages long documents filled with just text.
What this is? Pretty simple…Juniper started off automating stuff via SLAX, something that did not get too much traction and then Python took the lead in front of it. It is an XML/Xpath based language and for simple things you can find it pretty useful and not so complicated to learn. What the script below does is effectively enabling a MIC upon its insertion into an MX5. Previously someone from operations would have to go manually on the device and enable it.
A customer asked me at some point if we could evaluate how the CoPP DDOS automated filters on a Juniper MX are triggered and how fast they respond to different types of packets. As such I needed to craft custom traffic. I was not very good at coming up with it for Ostinato or Spirent so I used Scapy to craft the packet. Afterward I took the packet hexdump and input it into Spirent / Ostinato as what the streams from there should generate (that hexdump has indeed all data needed, source/dst addresses included which meant of course that it needs to match what Spirent thinks it has on the interface facing the Juniper device).
Examples of generated packets:
A current customer test desired to see how well the AVI Load Balancer scales and as such they used Ixia BreakingPoint to determine the behavior. The point was to see when exactly the AVI Controller tells Openstack to spawn a new Instance of an AVI SE (Avi Load Balancer VM that holds a VIP and pool members reachable behind it) and how this process goes.
Following setups were tested:
Have you ever found yourself in a strange situation where:
Let’s say that with a big of creativity you can always find a way in. Here we go:
Sometimes it may happen that when you look in Contrail at the interfaces on a vRouter (on a Compute host) that some of them appear down. This you can also see on the Compute Node itself with vif –list. There can be some leftovers and this is the way to clean them up:
Sometimes when playing in the Contrail GUI (eg. with EVPN-VXLAN settings via the Router object) you might trigger some problems with the objects in the internal contrail api database and then end up in an inconsistent state. This article aims at showing a simple way of cleaning that one up (in my case changing the VNI triggered a bug).
This article means to show a simple way to create custom Firewall Tags for the new Contrail Security concept, apply them to an element (Virtual Network or Virtual Machine Interface == Neutron Port), create a Firewall rule that uses them, attach that rule to a Firewall Policy.
A few theoretical steps:
This assumes that later we will map (not present in this article) the firewall policy to the Default Application Policy. To eliminate a bit the confusion, Juniper’s Contrail Security has the following structure: