Stiff

linux-server/debian.md

@@ -91,10 +91,12 @@ The first steps (`(Skip)`) may be skipped if already configured during installat
         - Try typing characters specific to your keyboard.
         - Update if wrong: `dpkg-reconfigure keyboard-configuration`
 1. (Skip) Set the hostname:
-    - Set the shortname: `hostnamectl set-hostname <shortname>`
-    - Set both the shortname and FQDN in `/etc/hosts` using the following format: `127.0.0.1 <fqdn> <shortname>`
-        - If the server has a static IP address, use that instead of 127.0.0.1.
-    - Check the hostnames with `hostname` (shortname) and `hostname --fqdn` (FQDN).
+    - Set the shortname: `hostnamectl set-hostname <shortname>` (no domain)
+    - Set both the shortname and FQDN in `/etc/hosts` using the following format, one line for IPv4 and one for IPv6: `<ip-addr> <fqdn> <shortname>`
+    - Check the hostname info:
+        - Shortname: `hostname`
+        - FQDN: `hostname --fqdn`
+        - IP addresses: `hostname --ip-address`
 1. Packages:
     - (Optional) Enable the `contrib` and `non-free` repo areas: `add-apt-repository <area>`
         - Or by setting `main contrib non-free` for every `deb`/`deb-src` in `/etc/apt/sources.list`.

networking/fs-fsos-switches.md

@@ -16,6 +16,7 @@ breadcrumbs:
 - Default credentials: Username `admin` and password `admin`.
 - Default mgmt. IP address: `192.168.1.1/24`
 - By default, SSH, Telnet and HTTP servers are accessible using the default mgmt. address and credentials.
+- For SSH you might need to specify `-o HostKeyAlgorithms=+ssh-rsa`.
 - Serial config: RS-232 w/ RJ45, baud 115200, 8 data bits, no parity bits, 1 stop bit, no flow control.
 - The default VLAN is VLAN1.
 

networking/juniper-ex.md

@@ -103,122 +103,7 @@ breadcrumbs:
 
 ## Initial Setup
 
-Example for setting up base system for a simple L2 switch.
-
-1. Connect to the switch using serial:
-    - RS-232 w/ RJ45, baud 9600, 8 data bits, no parity, 1 stop bits, no flow control.
-1. Login:
-    - Username `root` and no password.
-    - Logging in as root will always start the shell. Run `cli` to enter the operational CLI.
-1. (Optional) Free virtual chassis ports (VCPs) for normal use:
-    1. Enter op mode.
-    1. Show VCPs: `show virtual-chassis vc-port`
-    1. Remove VCPs: `request virtual-chassis vc-port delete pic-slot <pic-slot> port <port-number>`
-    1. Show again to make sure they disappear. This may take a few seconds.
-1. Enter configuration mode:
-    - Enter: `configure`
-    - Exit: `exit`
-1. Set host name:
-    - `set system host-name <host-name>`
-    - `set system domain-name <domain-name>`
-1. Enable auto snapshotting and restoration on corruption:
-    - `set system auto-snapshot`
-1. Disable DHCP auto image upgrade:
-    - `delete chassis auto-image-upgrade`
-1. Set new root password:
-    - `set system root-authentication plain-text-password` (prompts for password)
-1. (Optional) Commit (stop the auto-upgrade spam etc.).
-1. Setup a non-root user:
-    - `set system login user <user> [full-name "<full-name>"] class super-user authentication plain-text-password` (prompts for password)
-1. Setup SSH:
-    - Enable server: `set system services ssh`
-    - Disable root login from SSH: `set system services ssh root-login deny`
-1. Set DNS servers:
-    - `set system name-server <addr>` (once for each address)
-1. Set time:
-    1. (Optional) Set time locally: `run set date <YYYYMMDDhhmm.ss>`
-    1. Set server to use while booting (forces initial time): `set system ntp boot-server <address>`
-    1. Set server to use periodically (for tiny, incremental changes): `set system ntp server <address>`
-    1. Set time zone: `set system time-zone Europe/Oslo` (example)
-    1. (Note) After committing, use `show ntp associations` to verify NTP.
-    1. (Note) After committing, use `set date ntp` to force it to update. This may be required if the delta is too large and the NTP client refuses to update.
-1. Delete default interfaces configs:
-    - `wildcard range delete interface ge-0/0/[0-47]` (example, repeat for all FPCs/PICs)
-1. Disable dedicated management port and alarm:
-    1. Disable: `set int me0 disable`
-    1. Delete logical interface: `delete int me0.0`
-    1. Disable link-down alarm: `set chassis alarm management-ethernet link-down ignore`
-1. Disable default VLAN:
-    1. Delete logical interface (before disabling): `delete int vlan.0`
-    1. Disable logical interface: `set int vlan.0 disable`
-1. Create VLANs:
-    - `set vlans <name> vlan-id <VID>`
-1. (Optional) Setup interface-ranges (apply config to multiple configured interfaces):
-    - Declare range: `edit interfaces interface-range <name>`
-    - Add member ports: `member-range <begin-if> to <end-if>`
-    - Configure it as a normal interface, which will be applied to all members.
-1. (Optional) Setup LACP:
-    1. (Info) Make sure you allocate enough LAG interfaces and that the interface numbers are below some arbitrary power-of-2-limit for the device model. Maybe the CLI auto-complete shows a hint toward the max.
-    1. Set number of available LAG interfaces: `set chassis aggregated-devices ethernet device-count <0-64>`
-    1. Delete old configs for member interface: `wildcard range delete interfaces ge-0/0/[0-1]` (example)
-    1. Add member interfaces: `wildcard range set interfaces ge-0/0/[0-1] ether-options 802.3ad ae<n>`
-    1. Add some description to member interfaces: `wildcard range set interfaces ge-0/0/[0-1] description link:switch`
-    1. Enter LAG interface: `edit interface ae<n>`
-    1. Set description: `set desc link:switch`
-    1. Set LACP active: `set aggregated-ether-options lacp active`
-    1. Set LACP fast: `set aggregated-ether-options lacp periodic fast`
-    1. (Optional) Set minimum links: `aggregated-ether-options minimum-links 1`
-    1. Enter logical unit: `edit unit 0`
-    1. Setup VLAN/address/etc. (see other examples).
-1. (Optional) Setup VLAN interfaces:
-    1. Setup trunk ports:
-        1. (Note) `vlan members` supports both numbers and names. Use the `[VLAN1 VLAN2 <...>]` syntax to specify multiple VLANs.
-        1. (Note) Instead of specifying which VLANs to add, specify `vlan members all` and `vlan except <excluded-VLANs>`.
-        1. (Note) `vlan members` should not include the native VLAN (if any).
-        1. Enter unit 0 and `family ethernet-switching` of the physical/LACP interface.
-        1. Set mode: `set port-mode trunk`
-        1. Set VLANs: `set vlan members <VLANs>`
-        1. (Optional) Set native VLAN: `set native-vlan-id <VID>`
-    1. Setup access ports:
-        1. Enter unit 0 and `family ethernet-switching` of the physical/LACP interface.
-        1. Set access VLAN: `set vlan members <VLAN-name>`
-1. (Optional) Setup L3 interfaces:
-    1. (VLAN) Set L3-interface: `set vlans <name> l3-interface vlan.<VID>`
-    1. Enter unit 0 of physical/LACP interface or `vlan.<VID>` for VLAN interfaces.
-    1. Set IPv4 address: `set family inet address <address>/<prefix-length>`
-    1. Set IPv6 address: `set family inet6 address <address>/<prefix-length>`
-1. (Optional) Setup static IP routes:
-    1. IPv4 default gateway: `set routing-options rib inet.0 static route 0.0.0.0/0 next-hop <next-hop>`
-    1. IPv6 default gateway: `set routing-options rib inet6.0 static route ::/0 next-hop <next-hop>`
-1. (Optional) Disable/enable Ethernet flow control:
-    - (Note) Junos uses the symmetric/bidirectional PAUSE variant of flow control.
-    - (Note) This simple PAUSE variant does not take traffic classes (for QoS) into account and will pause _all_ traffic for a short period (no random early detection (RED)) if the receiver detects that it's running out of buffer space, but it will prevent dropping packets _within_ the flow control-enabled section of the L2 network. Enabling it or disabling it boils down to if you prefer to pause (all) traffic or drop (some) traffic during congestion. As a guideline, keep it disabled generally (and use QoS or more sophisticated variants instead), but use it e.g. for dedicated iSCSI networks (which handle delays better than drops). Note that Ethernet and IP don't require guaranteed packet delivery.
-    - (Note) It _may_ be enabled by default, so you should probably enable/disable it explicitly (the docs aren't consistent with my observations).
-    - (Note) Simple/PAUSE flow control (`flow-control`) is mutually exclusive with priority-based flow control (PFC) and asymmetric flow control (`configured-flow-control`).
-    - Disable on Ethernet interface (explicit): `set interface <if> [aggregated-]ether-options no-flow-control`
-    - Enable (explicit): `... flow-control`
-1. (Optional) Enable EEE (Energy-Efficient Ethernet, IEEE 802.3az):
-    - (Note) For reducing power consumption during idle periods. Supported on RJ45 copper ports.
-    - (Note) There generally is no reason to not enable this on all ports, however, there may be certain devices or protocols which don't play nice with EEE (due to poor implementations).
-    - Enable on RJ45 Ethernet interface: `set interface <if> ether-options ieee-802-3az-eee`
-1. (Optional) Configure RSTP:
-    - (Note) RSTP is enabled for all interfaces by default.
-    - Enter config section: `edit protocols rstp`
-    - Set interfaces: `set interfaces all` (example)
-    - (Optional) Set priority: `set bridge-priority <priority>` (default 32768, should be a multiple of 4096, use e.g. 32768 for access, 16384 for distro and 8192 for core)
-    - (Optional) Set hello time: `set hello-time <seconds>` (default 2s)
-    - (Optional) Set maximum age: `set max-age <seconds>` (default 20s)
-    - (Optional) Set forward delay: `set forward-delay <seconds>` (default 15s)
-    - Set edge ports: `wildcard range set protocols rstp interface ge-0/0/[2-5] edge` (example)
-    - Enable BPDU guard on all edge ports: `set protocols rstp bpdu-block-on-edge`
-1. Configure SNMP:
-    - (Note) SNMP is extremely slow on the Juniper switches I've tested it on.
-    - Enable public RO access: `set snmp community public authorization read-only`
-1. Configure sFlow:
-    - **TODO**
-1. Commit configuration: `commit [confirmed]`
-1. Exit config mode: `exit`
-1. Backup config to rescue config: `request system configuration rescue save`
+See the Junos general notes.
 
 ## Commands
 

networking/juniper-junos.md

@@ -13,6 +13,167 @@ breadcrumbs:
 - [Introduction to Junos – Part 1 (Packet Pushers)](https://packetpushers.net/introduction-to-junos-part-1/)
 - [Introduction to Junos – Part 2 (Packet Pushers)](https://packetpushers.net/introduction-to-junos-part-2/)
 
+### Initial Setup
+
+Common setup for MX, SRX, QFX, EX.
+
+1. Connect to the switch using serial:
+    - RS-232 w/ RJ45, baud 9600, 8 data bits, no parity, 1 stop bits, no flow control.
+1. Log in:
+    1. It should say "Amnesiac" above the login prompt as the name of the switch, to show that it's factory reset.
+    1. Login as `root` with no password to enter the shell.
+    1. Enter the Junos operational CLI by typing `cli`.
+1. (EX) (Optional) Free virtual chassis ports (VCPs) for normal use:
+    1. Enter op mode.
+    1. Show VCPs: `show virtual-chassis vc-port`
+    1. Remove VCPs: `request virtual-chassis vc-port delete pic-slot <pic-slot> port <port-number>`
+    1. Show again to make sure they disappear. This may take a few seconds.
+1. (Note) Enter configuration mode:
+    - Enter: `configure`
+    - Commit: `commit`
+    - Exit: `exit`
+1. Set host name:
+    1. `set system host-name <host-name>`
+    1. `set system domain-name <domain-name>`
+1. (Not MX) Enable auto snapshotting and restoration on corruption:
+    1. `set system auto-snapshot`
+1. Disable DHCP auto image upgrade:
+    1. `delete chassis auto-image-upgrade`
+1. Set new root password:
+    1. `set system root-authentication plain-text-password` (prompts for password)
+1. Set idle timeout:
+    1. `set system login idle-timeout 60` (60 minutes)
+1. (Optional) Commit new config:
+    1. `commit`
+1. Setup a non-root user:
+    1. `set system login user <user> [full-name <full-name>] class super-user authentication plain-text-password` (prompts for password)
+1. (SRX) Enable IPv6 forwarding (SRX):
+    1. Enable: `set security forwarding-options family inet6 mode flow-based`
+    1. (Info) Verify (after commit): `show security flow status`
+1. Setup SSH:
+    1. Enable server: `set system services ssh`
+    1. Disable root login from SSH: `set system services ssh root-login deny-password`
+    1. (Note) Do *not* use `ssh root-login deny`, it may cause FPCs to go unresponsive and offline for Junos v21 and later ([link](https://prsearch.juniper.net/problemreport/PR1629943)).
+1. (Maybe) Disable licensing and phone-home (for grey-market devices):
+    1. `delete system license`
+    1. `delete system phone-home`
+1. Set DNS servers:
+    1. Delete default: `delete system name-server`
+    1. Set new (for each one): `set system name-server <addr>`
+1. Set time:
+    1. Set time zone: `set system time-zone Europe/Oslo` (example)
+    1. (Optional) Set time manually (UTC): `run set date <YYYYMMDDhhmm.ss>`
+    1. (Deprecated) Set server to use while booting (forces initial time): `set system ntp boot-server <address>`
+    1. Set server to use periodically (for tiny, incremental changes): `set system ntp server <address>`
+    1. (Info) After committing, use `show ntp associations` to verify NTP.
+    1. (Info) After committing, use `set date ntp` to force it to update. This may be required if the delta is too large and the NTP client refuses to update.
+1. Set misc system options:
+    1. Setup loopback as default address: `set system default-address-selection`
+    1. Enable PMTUD: `set system internet-options path-mtu-discovery`
+1. Configure LLDP:
+    1. (Optional) Enable for all interfaces: `set protocols lldp interface all`
+    1. (Optional) Enable for specific interfaces: `set protocols lldp interface xe-0/1/0`
+    1. (Optional) Disable for specific interfaces: `set protocols lldp interface xe-0/1/0 disable`
+1. Configure SNMP:
+    1. (Info) SNMP is extremely slow on the Juniper devices I've tested it on.
+    1. Enable public RO access (or generate a secret community string): `set snmp community public authorization read-only`
+1. (Optional) Set loopback addresses (if using routing):
+    1. `set interfaces lo0.0 family inet address <address>/32`
+    1. `set interfaces lo0.0 family inet6 address <address>/32`
+1. (Optional) Setup static IP routes (if not using dynamic routing):
+    1. IPv4 default gateway: `set routing-options rib inet.0 static route 0.0.0.0/0 next-hop <next-hop>`
+    1. IPv6 default gateway: `set routing-options rib inet6.0 static route ::/0 next-hop <next-hop>`
+    1. (Optional) Setup null routes for site prefixes.
+1. Disable management port link-down alarm:
+    1. Disable alarm: `set chassis alarm management-ethernet link-down ignore`
+1. Disable management port:
+    1. (Note) This port goes by many names: `fxp0`, `me0`, `em0`, `em1`, `vme`, ...
+    1. Delete interface: `delete int <port>`
+    1. Disable interface: `set int <port> disable`
+    1. (If exists) Disable RA: `delete protocols router-advertisement interface <port>.0`
+1. (Optional) Set PIC interface speed/mode (if applicable):
+    1. (Info) E.g. the device has 40G/100G ports and you need to configure the ports for them to show up in `sh int terse`.
+    1. (Info) Some devices have a maximum capacity that can't be oversubscribes, e.g. 400G for the MX204.
+    1. Show FPCs and PICs: `run show chassis fpc pic-status`
+    1. Set speed (example): `set chassis fpc 0 pic 0 port 0 40g`
+1. (EX/QFX/SRX) Create VLANs:
+    1. Create: `set vlans <name> vlan-id <VID>`
+    1. (Optional) Set RVI: `set vlans <name> l3-interface irb.<VID>`
+1. Setup interfaces: See section below.
+1. (EX/QFX/SRX) Configure RSTP:
+    - (Note) RSTP is enabled for all interfaces by default.
+    - Enter config section: `edit protocols rstp`
+    - Set interfaces: `set interfaces all` (example)
+    - Set priority: `set bridge-priority <priority>` (default 32768/32k, should be a multiple of 4k, use e.g. 32k for access, 8k for distro and 4k for core)
+    - (Optional) Set hello time: `set hello-time <seconds>` (default 2s)
+    - (Optional) Set maximum age: `set max-age <seconds>` (default 20s)
+    - (Optional) Set forward delay: `set forward-delay <seconds>` (default 15s)
+    - Set edge ports: `wildcard range set protocols rstp interface ge-0/0/[2-5] edge` (example)
+    - Enable BPDU guard on all edge ports: `set protocols rstp bpdu-block-on-edge`
+1. (SRX) Setup security stuff (zones, policies, NAT, screens).
+    1. `delete security`
+    1. Setup as desired.
+1. Commit configuration: `commit [confirmed]`
+1. Exit config CLI: `exit`
+1. Save the rescue config: `request system configuration rescue save`
+1. (SRX) Save the autorecovery info: `request system autorecovery state save`
+1. (SRX) Reboot the device to change forwarding mode and stuff (if changed): `request system reboot`
+
+#### Interfaces
+
+1. (Optional) Delete default interfaces configs (example):
+    1. `wildcard range delete interface ge-0/0/[0-7]`
+1. (EX/QFX/SRX) (Optional) Disable default VLAN RVI:
+    1. (Note) The interface is called `vlan` for older devices and `irb` for newer ones.
+    1. Delete config: `delete int irb.0`
+    1. Disable: `set int irb.0 disable`
+1. (Optional) Disable unused interfaces (example):
+    1. `wildcard range set interface ge-0/0/[0-7] disable`
+    1. `set interface cl-1/0/0 disable`
+    1. `set interface dl0 disable`
+1. (Optional) Setup interface-ranges (apply config to multiple configured interfaces):
+    - Declare range: `edit interfaces interface-range <name>`
+    - Add member ports: `member-range <begin-if> to <end-if>`
+    - Configure it as a normal interface, which will be applied to all members.
+1. (Optional) Setup LACP toward upstream/downstream switch:
+    1. (Info) Make sure you allocate enough LAG interfaces and that the interface numbers are below some arbitrary power-of-2-limit for the device model. Maybe the CLI auto-complete shows a hint toward the max.
+    1. Set number of available LAG interfaces: `set chassis aggregated-devices ethernet device-count <0-64>`
+    1. Delete old configs for member interface: `wildcard range delete interfaces ge-0/0/[0-1]` (example)
+    1. Add member interfaces: `wildcard range set interfaces ge-0/0/[0-1] ether-options 802.3ad ae<n>`
+    1. Add some description to member interfaces: `wildcard range set interfaces ge-0/0/[0-1] description link:switch`
+    1. Enter LAG interface: `edit interface ae<n>`
+    1. Set description: `set desc link:switch`
+    1. Set LACP active: `set aggregated-ether-options lacp active`
+    1. Set LACP fast: `set aggregated-ether-options lacp periodic fast`
+    1. (Optional) Set minimum links: `aggregated-ether-options minimum-links 1`
+1. (EX/QFX/SRX) Setup switch trunk ports:
+    1. (Note) `vlan members` supports both numbers and names. Use the `[VLAN1 VLAN2 <...>]` syntax to specify multiple VLANs.
+    1. (Note) Instead of specifying which VLANs to add, specify `vlan members all` and `vlan except <excluded-VLANs>`.
+    1. (Note) `vlan members` should not include the native VLAN (if any).
+    1. Enter unit 0 and `family ethernet-switching` of the physical/LACP interface.
+    1. Set mode: `set port-mode trunk`
+    1. Set VLANs: `set vlan members <VLANs>`
+    1. (Optional) Set native VLAN: `set native-vlan-id <VID>`
+1. (EX/QFX/SRX) Setup access ports:
+    1. Enter unit 0 and `family ethernet-switching` of the physical/LACP interface.
+    1. Set access VLAN: `set vlan members <VLAN-name>`
+1. (EX/QFX/SRX) Setup VLAN L3 interfaces:
+    1. (VLAN) Set L3-interface: `set vlans <name> l3-interface irb.<VID>`
+    1. Enter unit 0 of physical/LACP interface or `irb.<VID>` for VLAN interfaces.
+    1. Set IPv4 address: `set family inet address <address>/<prefix-length>`
+    1. Set IPv6 address: `set family inet6 address <address>/<prefix-length>`
+1. (Optional) Disable/enable Ethernet flow control:
+    - (Note) Junos uses the symmetric/bidirectional PAUSE variant of flow control.
+    - (Note) This simple PAUSE variant does not take traffic classes (for QoS) into account and will pause _all_ traffic for a short period (no random early detection (RED)) if the receiver detects that it's running out of buffer space, but it will prevent dropping packets _within_ the flow control-enabled section of the L2 network. Enabling it or disabling it boils down to if you prefer to pause (all) traffic or drop (some) traffic during congestion. As a guideline, keep it disabled generally (and use QoS or more sophisticated variants instead), but use it e.g. for dedicated iSCSI networks (which handle delays better than drops). Note that Ethernet and IP don't require guaranteed packet delivery.
+    - (Note) It _may_ be enabled by default, so you should probably enable/disable it explicitly (the docs aren't consistent with my observations).
+    - (Note) Simple/PAUSE flow control (`flow-control`) is mutually exclusive with priority-based flow control (PFC) and asymmetric flow control (`configured-flow-control`).
+    - Disable on Ethernet interface (explicit): `set interface <if> [aggregated-]ether-options no-flow-control`
+    - Enable (explicit): `... flow-control`
+1. (Optional) Enable EEE (Energy-Efficient Ethernet, IEEE 802.3az):
+    - (Note) For reducing power consumption during idle periods. Supported on RJ45 copper ports.
+    - (Note) There generally is no reason to not enable this on all ports, however, there may be certain devices or protocols which don't play nice with EEE (due to poor implementations).
+    - Enable on RJ45 Ethernet interface: `set interface <if> ether-options ieee-802-3az-eee`
+
 ## Commands
 
 **TODO** Cleanup. Combine with SRX- and QFX-setup?

networking/juniper-srx.md

@@ -20,96 +20,7 @@ breadcrumbs:
 
 ### Initial Setup
 
-1. Connect to the switch using serial:
-    - RS-232 w/ RJ45, baud 9600, 8 data bits, no parity, 1 stop bits, no flow control.
-1. Log in:
-    1. It should say "Amnesiac" above the login prompt as the name of the switch, to show that it's factory reset.
-    1. Login as `root` with no password to enter the shell.
-    1. Enter the Junos operational CLI by typing `cli`.
-1. Enter configuration mode:
-    - Enter: `configure`
-    - Commit: `commit`
-    - Exit: `exit`
-1. Set host name:
-    1. `set system host-name <host-name>`
-    1. `set system domain-name <domain-name>`
-1. Enable auto snapshotting and restoration on corruption:
-    1. `set system auto-snapshot`
-1. Disable DHCP auto image upgrade:
-    1. `delete chassis auto-image-upgrade`
-1. Set new root password:
-    1. `set system root-authentication plain-text-password` (prompts for password)
-1. Set idle timeout:
-    1. `set system login idle-timeout 60` (60 minutes)
-1. (Optional) Commit new config:
-    1. `commit`
-1. Setup a non-root user:
-    1. `set system login user <user> [full-name <full-name>] class super-user authentication plain-text-password` (prompts for password)
-1. Enable IPv6 forwarding (SRX):
-    1. Enable: `set security forwarding-options family inet6 mode flow-based`
-    1. (Info) Verify (after commit): `show security flow status`
-1. Setup SSH:
-    1. Enable server: `set system services ssh`
-    1. Disable root login from SSH: `set system services ssh root-login deny`
-1. Disable licensing and phone-home (for grey-market devices):
-    1. `delete system license`
-    1. `delete system phone-home`
-1. Set DNS servers:
-    1. Delete default: `delete system name-server`
-    1. Set new (for each one): `set system name-server <addr>`
-1. Set time:
-    1. (Optional) Set time manually (UTC): `run set date <YYYYMMDDhhmm.ss>`
-    1. Set server to use while booting (forces initial time): `set system ntp boot-server <address>`
-    1. Set server to use periodically (for tiny, incremental changes): `set system ntp server <address>`
-    1. Set time zone: `set system time-zone Europe/Oslo` (example)
-    1. (Info) After committing, use `show ntp associations` to verify NTP.
-    1. (Info) After committing, use `set date ntp` to force it to update. This may be required if the delta is too large and the NTP client refuses to update.
-1. Configure SNMP:
-    - (Info) SNMP is extremely slow on the Juniper devices I've tested it on.
-    - Enable public RO access (or generate a secret community string): `set snmp community public authorization read-only`
-1. (Optional) Set loopback addresses (if using routing):
-    1. `set interfaces lo0.0 family inet address <address>/32`
-    1. `set interfaces lo0.0 family inet6 address <address>/32`
-1. (Optional) Setup static IP routes:
-    1. IPv4 default gateway: `set routing-options rib inet.0 static route 0.0.0.0/0 next-hop <next-hop>`
-    1. IPv6 default gateway: `set routing-options rib inet6.0 static route ::/0 next-hop <next-hop>`
-1. (Optional) Disable dedicated management port and alarm (if any):
-    1. Disable: `set int me0 disable`
-    1. Delete logical interface: `delete int me0.0`
-    1. Disable link-down alarm: `set chassis alarm management-ethernet link-down ignore`
-1. Delete default interfaces configs (example):
-    1. `wildcard range delete interface ge-0/0/[0-7]`
-1. (Optional) Disable unused interfaces (example):
-    1. `wildcard range set interface ge-0/0/[0-7] disable`
-    1. `set interface cl-1/0/0 disable`
-    1. `set interface dl0 disable`
-1. (Optional) Setup LACP toward upstream/downstream switch:
-    1. (Info) Make sure you allocate enough LAG interfaces and that the interface numbers are below some arbitrary power-of-2-limit for the device model. Maybe the CLI auto-complete shows a hint toward the max.
-    1. Set number of available LAG interfaces: `set chassis aggregated-devices ethernet device-count <0-64>`
-    1. Delete old configs for member interface: `wildcard range delete interfaces ge-0/0/[0-1]` (example)
-    1. Add member interfaces: `wildcard range set interfaces ge-0/0/[0-1] ether-options 802.3ad ae<n>`
-    1. Add some description to member interfaces: `wildcard range set interfaces ge-0/0/[0-1] description link:switch`
-    1. Enter LAG interface: `edit interface ae<n>`
-    1. Set description: `set desc link:switch`
-    1. Set LACP active: `set aggregated-ether-options lacp active`
-    1. Set LACP fast: `set aggregated-ether-options lacp periodic fast`
-    1. (Optional) Set minimum links: `aggregated-ether-options minimum-links 1`
-1. Delete default security (zones, policies, NAT, screens).
-    1. `delete security`
-1. Commit configuration: `commit [confirmed]`
-1. Exit config CLI: `exit`
-1. Save the rescue config: `request system configuration rescue save`
-1. Save the autorecovery info: `request system autorecovery state save`
-1. Reboot the device to change forwarding mode and stuff (if changed): `request system reboot`
-
-### Interface Setup
-
-See [Juniper EX](/config/network/juniper-ex/).
-
-### Other Setup
-
-1. Configure sFlow:
-    1. **TODO**
+See the Junos general notes.
 
 ## Theory
 

networking/vyos.md

@@ -25,7 +25,7 @@ See [Installation (VyOS)](https://docs.vyos.io/en/latest/install.html).
 1. Log in using user `vyos` and password `vyos`.
 1. Run `install image` to run the permanent installation wizard.
     - Keep the suggested image name to keep track of versions.
-    - If asked about which config to copy, any one is fine.
+    - If asked about which config to copy, either one is fine.
 1. Remove the live image and reboot.
 
 ## Initial Configuration
@@ -46,8 +46,8 @@ An example of a full configuration. Except intuitive stuff I forgot to mention.
 1. Set the DNS servers: `set system name-server <ip-address>` (for each server)
 1. Set the time zone: `set system time-zone Europe/Oslo` (example)
 1. (Optional) Replace the NTP servers:
-    1. Remove default NTP servers: `delete system ntp <server>` (for each server)
-    1. Add new NTP servers: `set system ntp server ntp.justervesenet.no` (example)
+    1. Remove default NTP servers: `delete service ntp server`
+    1. Add new NTP servers: `set service ntp server ntp.justervesenet.no` (example)
 1. (Optional) Enable Ctrl+Alt+Del reboot: `set system options ctrl-alt-del-action reboot` (or `ignore`)
 1. Set up a plain WAN-facing interface with an IP address (without LAG or VLAN):
     1. Show all Ethernet interfaces: `run show interfaces ethernet detail`
@@ -62,6 +62,7 @@ An example of a full configuration. Except intuitive stuff I forgot to mention.
 1. Set default routes: `set protocols static route[6] <0.0.0.0/0|::/0> next-hop <next-hop>` (for IPv4 and IPv6)
 1. (Optional) Setup basic SSHD:
     1. Enable server: `set service ssh`
+    1. (Optional) Disable password login (pubkeys only): `set service ssh disable-password-authentication`
     1. (Optional) Commit and log in through SSH instead of the console.
 1. Replace default user:
     1. (Note) You may want to skip ahead to the SSHD step so you can paste stuff vis SSH instead of manually writing it into the console.
@@ -74,9 +75,6 @@ An example of a full configuration. Except intuitive stuff I forgot to mention.
         1. Set key (only the Base64-encoded part): `set authentication public-keys <name> key <key>`
     1. Commit and log into the new user.
     1. Delete the default user: `delete system login user vyos`
-1. Setup SSHD:
-    1. Enable server: `set service ssh`
-    1. (Optional) Disable password login (pubkeys only): `set service ssh disable-password-authentication`
 1. (Optional) Set up a LAG interface:
     1. Enter interface config: `edit interfaces bonding bond<n>`
     1. Set member interfaces: `set member interface <if>`
@@ -90,11 +88,12 @@ An example of a full configuration. Except intuitive stuff I forgot to mention.
     1. Configure as a normal interface.
 1. (Optional) Set black hole route: `set protocols static route[6] <prefix> blackhole` (for IPv4 and IPv6)
 1. Enable LLDP: `set service lldp interface all`
-1. Enable unicast reverse path forwarding (uRPF) globally: `set firewall source-validation strict`
 1. Set firewall:
-    1. Enter `firewall` section.
-    1. Set options:
-        1. `set all-ping false` (or keep it if you want to allow all pings)
+    1. (Note) VyOS 1.4.xxx changed to a new firewall structure.
+    1. Set options and default policies:
+        1. `edit firewall global-options`
+        1. `set source-validation strict` (uRPF)
+        1. `set all-ping enable`
         1. `set broadcast-ping disable`
         1. `set receive-redirects disable`
         1. `set ipv6-receive-redirects disable`
@@ -104,12 +103,8 @@ An example of a full configuration. Except intuitive stuff I forgot to mention.
         1. `set send-redirects disable`
         1. `set syn-cookies enable`
         1. `set twa-hazards-protection disable`
-    1. Set default policies:
-        - `set firewall state-policy established action accept`
-        - `set firewall state-policy related action accept`
-        - `set firewall state-policy invalid action drop`
-    1. Create IPv4 and IPv6 rule sets. Note that IPv4 and IPv6 rule sets can't share names, so you can suffix the names with `-4` and `-6` to avoid conflict.
-    1. Attach rule sets to interfaces (typically "local" and "out").
+    1. (**OUTDATED**) Create IPv4 and IPv6 rule sets. Note that IPv4 and IPv6 rule sets can't share names, so you can suffix the names with `-4` and `-6` to avoid conflict.
+    1. (**OUTDATED**) Attach rule sets to interfaces (typically "local" and "out").
 1. Set banners:
     1. (Note) Newlines must be escaped with `\n`.
     1. Set pre-login banner: `set system login banner pre-login ""` (disable)

virt-cont/proxmox-ve.md

@@ -11,6 +11,8 @@ Using **Proxmox VE 7** (based on Debian 11).
 
 ### Installation
 
+#### PVE Installer Method
+
 1. Make sure UEFI and virtualization extensions are enabled in the BIOS settings.
 1. (Optional) Find a mouse.
     - The GUI installer doesn't require it any more, but it's still somewhat practical.
@@ -28,6 +30,27 @@ Using **Proxmox VE 7** (based on Debian 11).
 1. Miscellanea:
     - Make sure you set the correct FQDN during the install. This is a bit messy to change afterwards.
 
+#### Debian Manual Method
+
+Using Debian 12 (Bookwork).
+
+1. Install Debian as normal: See [Debian Server](/linux-server/debian/).
+1. Install PVE on top: See [Install Proxmox VE on Debian 12 Bookworm](https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_12_Bookworm).
+
+Tips:
+
+- Set the hostname:
+    - Set the shortname: `hostnamectl set-hostname <shortname>` (no domain)
+    - Set both the shortname and FQDN in `/etc/hosts` using the following format, one line for IPv4 and one for IPv6: `<ip-addr> <fqdn> <shortname>`
+    - Check the hostname info:
+        - Shortname: `hostname`
+        - FQDN: `hostname --fqdn`
+        - IP addresses: `hostname --ip-address`
+
+#### Ansible Method
+
+See [lae.proxmox](https://github.com/lae/ansible-role-proxmox).
+
 ### Initial Configuration
 
 Follow the instructions for [Debian server](/config/linux-server/debian/) in addition to the notes and instructions below (read them first).
@@ -41,37 +64,41 @@ PVE-specific instructions:
     1. Comment out all content from `/etc/apt/sources.list.d/pve-enterprise.list` to disable the enterprise repo.
     1. Create `/etc/apt/sources.list.d/pve-no-subscription.list` containing `deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription` to enable the no-subscription repo.
     1. Run a full upgrade: `apt update && apt full-upgrade`
+1. Install basics:
+    1. `apt install sudo vim`
 1. Update network config:
     1. (Note) Do NOT manually modify the configs for DNS, NTP, IPTables, etc. The network config (`/etc/network/interfaces`) and PVE configs _may_ however be manually modified, but the GUI or API is still recommended.
     1. (Note) Consider using Open vSwitch (OVS):
         - Plain Linux stuff (the way PVE uses it at least) may break for certain setups where e.g. PVE has a VLAN L3 interface on the same bridge as a VM has one.
-        - If using VLANs and an LACP link:
-            1. Create the OVS bridge (`vmbr<N>`). When adding tagged or untagged VM interfaces later, use this bridge.
-            1. Create the OVS bond (LACP) (`bond<N>`). Use the created bridge as the "OVS bridge" and the physical interfaces as the "slaves". Use mode "LACP (balance-tcp)" and add the OVS option `other_config:lacp-time=fast`.
+        - Install Open VSwitch: `apt install openvswitch-switch`
+        - If using VLANs and an optionally an LACP link:
+            1. (Note) Do this in a way to avoid taking the node offline, e.g. by only adding IPv6 to the new uplink and making sure it works before moving IPv4. Preferably use a separate link for the temporary uplink during install.
+            1. Create the OVS bridge (`vmbr<N>`). If *not* using LAG/LACP then add the physical interface. When adding tagged or untagged VM interfaces later, use this bridge.
+            1. If using LAG/LACP: Create the OVS bond (LACP) (`bond<N>`). Use the created bridge as the "OVS bridge" and the physical interfaces as the "slaves". Use mode "LACP (balance-tcp)" and add the OVS option `other_config:lacp-time=fast`.
             1. Create the OVS IntPort (VLAN interface) (`vlan<VID>`), which PVE will use to access the network. Use the OVS bridge and specify the VLAN ID. Set the IP addresses for PVE here.
-    1. Update network config: Use the web GUI. 
+
+    1. Update network config: Use the web GUI.
 1. Update MOTD:
     1. Disable the special PVE banner: `systemctl disable --now pvebanner.service`
     1. Clear or update `/etc/issue` and `/etc/motd`.
     1. (Optional) Set up dynamic MOTD: See the Debian guide.
 1. Setup firewall:
-    1. Open an SSH session, as this will prevent full lock-out.
-    1. Go to the datacenter firewall page.
-    1. Enable the datacenter firewall.
-    1. Add incoming rules on the management network for NDP (ipv6-icmp), ping (macro ping), SSH (tcp 22) and the web GUI (tcp 8006).
-    1. Go to the host firewall page.
-    1. Enable the host firewall (TODO disable and re-enable to make sure).
+    1. (Note) While you should probably put PVE management in a protected network separated from the VMs, you still ned to protect PVE *from* the VMs.
+    1. Open an SSH session, as this will prevent full lock-out. If you manage to lock yourself out, open the `/etc/pve/firewall/cluster.fw` config and set `enable: 0` to disable the global firewall.
+    1. Under the datacenter firewall top page, add incoming rules on the management network for ICMPv4 (ipv6-icmp), ICMPv6 (icmp), SSH (tcp 22) and the web GUI (tcp 8006), for the chosen management VLAN.
+    1. Go to the datacenter firewall options page and enable "firewall" and "ebtables". Make sure the input policy is "DROP" and the output policy is "ACCEPT".
+    1. Go to the host firewall options page and enable it.
     1. Disable NDP on the nodes. (This is because of a vulnerability in Proxmox where it autoconfigures itself on all bridges.)
     1. Enable TCP flags filter to block illegal TCP flag combinations.
     1. Make sure ping, SSH and the web GUI is working both for IPv4 and IPv6.
 1. Set up storage:
     1. Docs: [Storage (Proxmox VE)](https://pve.proxmox.com/wiki/Storage)
-    1. Create a ZFS pool or something and add it to `/etc/pve/storage.cfg`.
+    1. Create a ZFS pool or something and add it to `/etc/pve/storage.cfg`. This can also be done in the GUI now, but you may want to to it manually if you want to tweak stuff. See [Linux Server Storage: ZFS](/linux-server/storage-zfs/).
     1. Setup backup pruning:
         - [Backup and Restore (Proxmox VE)](https://pve.proxmox.com/wiki/Backup_and_Restore)
         - [Prune Simulator (Proxmox BS)](https://pbs.proxmox.com/docs/prune-simulator/)
 1. Setup users (PAM realm):
-    1. Add a Linux user: `adduser <username>` etc.
+    1. Add a Linux user: `adduser <username>` etc. (see some Linux for adding Linux admin users).
     1. Create a PVE group: In the "groups" menu, create e.g. an admin group.
     1. Give the group permissions: In the "permissions" menu, add a group permission. E.g. path `/` and role `Administrator` for full admin access.
     1. Add the user to PVE: In the "users" menu, add the PAM user and add it to the group.
@@ -224,11 +251,11 @@ The "Cloud-Init" notes can be ignored if you're not using Cloud-Init. See the se
 - System tab:
     - Graphics card: Use the default. If you want SPICE, you can change to that later.
     - Qemu Agent: It provides more information about the guest and allows PVE to perform some actions more intelligently, but requires the guest to run the agent.
-    - BIOS/UEFI: BIOS w/ SeaBIOS is generally fine, but I prefer UEFI w/ OVMF (for PCIe pass-through support and stuff), assuming your OS/setup doesn't require one or the other.
+    - BIOS/UEFI: BIOS w/ SeaBIOS is generally fine, but I (sometimes) prefer UEFI w/ OVMF (for PCIe pass-through support and stuff), assuming your OS/setup doesn't require one or the other.
         - (Cloud-Init) Prepared Cloud-Init images may be using UEFI (and containing an EFI partition), so you probably need to use UEFI. With an added "EFI disk".
         - About the EFI disk: Using UEFI in PVE typically requires a "EFI disk" (in the hardware tab). This is not the EFI system partition (ESP) and is not visible to the VM, but is used by PVE/OVMF to store the EFIVARS, which contains the boot order. (If a UEFI VM fails to boot, you may need to enter the UEFI/OVMF menu through the remote console to fix the boot entries.)
     - Machine: Intel 440FX is generally fine, but Q35 supports more advanced features like PCIe pass-through support and stuff.
-    - SCSI controller: VirtIO SCSI.
+    - SCSI controller: VirtIO SCSI single.
     - Pre-enroll keys and TPM: **TODO** The docs don't mention pre-enrolled keys yet, so just use the defaults, I guess.
 - Hard disk tab:
     - (Cloud-Init) This doesn't matter, you're going to replace it afterwards with the imported Cloud-Init-ready qcow2 image. Just add something temporary since it can't be skipped.
@@ -257,6 +284,7 @@ The "Cloud-Init" notes can be ignored if you're not using Cloud-Init. See the se
     - Ballooning: Enable it. It allows the guest OS to release memory back to the host when the host is running low on it. For Linux, it uses the "balloon" kernel driver in the guest, which will swap out processes or start the OOM killer if needed. For Windows, it must be added manually and may incur a slowdown of the guest.
 - Network tab:
     - Model: Use VirtIO.
+    - Bridge and VLAN: If your bridge uses VLANs, then omit the VLAN tag to pass all VLANs or set a specific tag for untagged access.
     - Firewall: Enable if the guest does not provide one itself, or if you don't want it to immediately become accessible from the network during/after installation (i.e. before you've provisioned it properly).
     - Multiqueue: When using VirtUO, it can be set to the total CPU cores of the VM for increased performance. It will increase the CPU load, so only use it for VMs that need to handle a high amount of connections.
 - Start the VM: