Scapy - examples / usage

A customer asked me at some point if we could evaluate how the CoPP DDOS automated filters on a Juniper MX are triggered and how fast they respond to different types of packets. As such I needed to craft custom traffic. I was not very good at coming up with it for Ostinato or Spirent so I used Scapy to craft the packet. Afterward I took the packet hexdump and input it into Spirent / Ostinato as what the streams from there should generate (that hexdump has indeed all data needed, source/dst addresses included which meant of course that it needs to match what Spirent thinks it has on the interface facing the Juniper device).

Examples of generated packets:

  • OSPFv3 IPSEC Encrypted Packets
  • BGP Open Packet
  • BGP IPv6 Open Packet
  • IPSEC ESP Packet
  • BGP Update Packet
  • ICMP Echo Request
  • BFD echo

Continue reading

A current customer test desired to see how well the AVI Load Balancer scales and as such they used Ixia BreakingPoint to determine the behavior. The point was to see when exactly the AVI Controller tells Openstack to spawn a new Instance of an AVI SE (Avi Load Balancer VM that holds a VIP and pool members reachable behind it) and how this process goes.

Following setups were tested:

  • AVI LB VMs doing BGP (BGPaaS) with the Contrail vRouter and announcing VIPs
  • AVI Controller being configured to spawn AVI SEs / LB VMs but using the inbuilt ECMP/AAP features of Contrail (yes, if you are asking yourselves, the VIP does not have to be from the same subnet as the AVI LB directly connected one to the vRouter)
  • AVI LB VMs doing BGP Multihop with the SDN GW inside a VRF (this means that the SDN GW learns the prefixes and reuses the same LSP/label for transport/VPN as it already has for the directly connected IP of the AVI LB VM that originated the prefix)

Continue reading

Have you ever found yourself in a strange situation where:

  • you had a Juniper device with a factory default JunOS
  • it came with no-export version -> just telnet available, no SSH
  • you have the fxp0 or em0 interface configured for remote access
  • you do not have the device next to you and need to upgrade its software so that you can finally have full functionality and SSH?

Let’s say that with a big of creativity you can always find a way in. Here we go:

Continue reading

Sometimes it may happen that when you look in Contrail at the interfaces on a vRouter (on a Compute host) that some of them appear down. This you can also see on the Compute Node itself with vif –list. There can be some leftovers and this is the way to clean them up:

Continue reading

Sometimes when playing in the Contrail GUI (eg. with EVPN-VXLAN settings via the Router object) you might trigger some problems with the objects in the internal contrail api database and then end up in an inconsistent state. This article aims at showing a simple way of cleaning that one up (in my case changing the VNI triggered a bug).

Continue reading

This article means to show a simple way to create custom Firewall Tags for the new Contrail Security concept, apply them to an element (Virtual Network or Virtual Machine Interface == Neutron Port), create a Firewall rule that uses them, attach that rule to a Firewall Policy.

A few theoretical steps:

  • create custom tag + value
  • attach custom tag + value to port (VMI/Neutron Port)
  • read default policy management ID
  • create firewall rule attached to parent = default policy management ID
  • update firewall policy with the previously created firewall rule

This assumes that later we will map (not present in this article) the firewall policy to the Default Application Policy. To eliminate a bit the confusion, Juniper’s Contrail Security has the following structure:

  • Application policy
    • Default Application Policy = applies everywhere -> we map here 1 or More Firewall Policies
    • Custom Application Policy = applies mentioned Firewall Policies just to the elements (VNs/VMIs/Project/etc) where we put the matching application tags
  • Firewall policy List of firewall rules that apply.
  • Firewall rules

Continue reading

Recently I had the chance to play in a lab with a Load Balancer manufacturer for the Cloud that I had no clue about before and which proved to be a challenging but also rewarding experience. I’m talking about AVI Load Balancer ( and this article will walk you through the basic concepts of it, how to integrate it with Contrail, how to see what it does in Contrail and how it provisions the VIPs and also what potential tips&tricks and shortcomings might be.

Continue reading

Author's picture

Mihai Tanasescu

All Rounder and Jack of all trades (master of none? :) ).
Sailing the Cloud world with my fantastic team@Aviatrix, former Network, Systems Engineer (Cisco, Juniper, Linux, Openshift, Openstack).
A flavor of Security added to the mix (Offensive Security OSCE).
If there’s anything new and cool, then I like to learn about it. I’m also a fan of deep diving under the hood of a product to see what makes it tick as well as what breaks it.

Solutions Architect @ Aviatrix