Stuff

config/network/juniper-junos-switches.md

@@ -35,25 +35,57 @@ This page is super not done. Just random notes for now.
 1. Enter the operation mode: `cli`
 1. Enter configuration mode: `configure`
     - Use `exit` to return to CLI.
-1. 
-1. Set hostname: `set system host-name <hostname>` (conf mode)
-
-**TODO**
-1. Setup root authentication.
-1. Disable DHCP auto image upgrade: `delete chassis auto-image-upgrade` (conf mode)
-1. Disable alarm for mgmt. port link down.
+1. Set root password: `set system root-authentication plain-text-password`
+1. Disable root login from SSH: `set system services ssh root-login deny`
+1. Setup a non-root user: **TODO**
+1. Set host name: `set system host-name <host-name>`
+1. Set domain name: `set system domain-name <domain-name>`
+1. Set loopback addresses:
+    1. `set interfaces lo0 unit 0 family inet address 127.0.0.1/32`
+    1. `set interfaces lo0 unit 0 family inet6 address ::1/128`
+1. Set DNS: `set system name-server <addr>` (IPv4+IPv6)
+1. Set time:
+    1. (Optional) Set time locally: `set date <YYYYMMDDhhmm.ss>`
+    1. Set server to use while booting: `set system ntp boot-server <address>`
+    1. Set server to use periodically: `set system ntp server <address>`
+    1. Set time zone: `set system time-zone Europe/Oslo` (example)
+    1. Note: After committing, use `show ntp associations` to verify NTP.
+1. Disable dedicated management port and alarm:
+    1. `set int me0 disable`
+    1. `set chassis alarm management-ethernet link-down ignore`
+1. Setup LACP: **TODO**
+1. Setup VLANs: **TODO**
+1. Set management VLAN interface: **TODO**
+1. Configure RSTP: **TODO**
 1. Enable auto snapshotting and restoration on corruption: `set system auto-snapshot`
-1. Commit.
+1. Disable DHCP auto image upgrade: `delete chassis auto-image-upgrade`
+1. Commit configuration: `commit [confirmed]`
+1. Backup config to rescue config: `request system configuration rescue save`
+
+## Commands
+
+### Interfaces
+
+- Disable interface or unit: `set disable`
+- Perform operation on multiple interfaces: `wildcard range set int ge-0/0/[0-47] unit 0 family ethernet-switching` (example)
 
 ## Virtual Chassis
 
 - Virtual Chassis (VC) is a simple way of connecting multiple close or distant switches into a ring topology and managing them as a single logical device. It simplifies loop prevention (otherwise using STP) and improves fault tolerance.
 - Roles: A VC has one switch as master routing engine, one switch as backup routing engine and the remaining switches as linecards.
-- Mastership election: The master is elected based on (in order) highest mastership priority, which member was master last time, which switch has been a member the longest, and which member has the lowest MAC address.
+- Mastership election: The master is elected based on (in order) highest mastership priority, which member was master last time, which switch has been a member the longest, and which member has the lowest MAC address. When using a preprovisioned config, the mastership priority is automatically assigned based on the selected role.
 - LEDs: The "MST" LED will be solid green on the master, blinking green on the backup and off on the linecards.
 - Alarms: Alarms for a specific device will only show on the master and the actual device.
 - FPCs: Each switch will show as separate FPCs (Flexible PIC (Physical Interface Cards) Concentrators).
 
+### Best Practices
+
+- Always zeroize before merging.
+- Use no-split-detection if using exactly two devices.
+- When removing a device, recycle its old ID in the VC.
+- If not preprovisioning the VC, explicitly set the mastership priority to 255 for the devices which should be routing engines.
+- Enable synchronized commit to ensure commits are always applied to all members.
+
 ### Commands and Configuration
 
 - Show status:
@@ -65,6 +97,19 @@ This page is super not done. Just random notes for now.
 - Virtual chassis ports (VCPs):
     - Show: `show virtual-chassis vc-port`
     - Remove: `request virtual-chassis vc-port delete pic-slot <pic-slot> port <port-number>`
+- Change assigned member ID: `request virtual-chassis renumber`
+
+### Setup
+
+1. (Optional) Prepare preprovisioned setup:
+    1. Only accept preprovisioned members: `set virtual-chassis preprovisioned`
+    1. Add members:
+        1. `set member 0 serial-number xxx role routing-engine`
+        1. `set member 1 serial-number xxx role routing-engine`
+        1. `set member 2 serial-number xxx role line-card`
+1. If using only two devices, disable split and merge: `set virtual-chassis no-split-detection`
+1. Enable implicit synchronized commit to all devices: `set system commit synchronize`
+1. Enable graceful routing engine switchover: `set chassis redundancy graceful-switchover`
 
 ### Virtual Chassis Fabric
 
@@ -79,17 +124,14 @@ Virtual Chassis Fabric (VCF) evolves VC into a spine-and-leaf architecture. Whil
 
 ## Random Notes (TODO)
 
-- No "unit 0" on LACP slave interfaces.
-- `set virtual-chassis no-split-detection` (VC) (recommended for only 2 members) (The split and merge feature is enabled by default on EX Series and QFX Series Virtual Chassis. You can disable the split and merge feature by using the set virtual-chassis no-split-detection command.) (When disabled, both parts remain active after a split.)
-- Discard route for supernet.
 - `show interfaces`, `show interfaces ae0 extensive`, `show interfaces terse`, `show interfaces terse | match ae`, `show interfaces terse ge-* | match up.*up`
-- `show chassis hardware`, `show version`, `show system uptime`
-- Config. nav.: `top`, `exit`
 - Int. range: `set interfaces interface-range <whatever> [member-range ge-0/0/0 to ge-0/0/1]`
 - LACP:
+    - No "unit 0" on LACP slave interfaces.
     - (Optional) Create range or do it per phys. int.
     - `set interfaces ge-0/0/0 ether-options 802.3ad ae0`
     - `set interfaces ae0 aggregated-ether-options lacp active`
+    - `set aggregated-devices ethernet device-count <n>` (0-127)
 - Set IP address: `set interfaces ae0 unit 0 family inet address 10.0.0.1/30`
 - Static route: `set routing-options static route 10.0.0.0/24 next-hop 10.0.1.1`
 - `show configuration [...] | display set`

config/network/ubiquiti-unifi-controllers.md

@@ -37,8 +37,8 @@ Official installation instructions: [UniFi: How to Install & Upgrade the UniFi N
     - UDP 3478: STUN (for devices)
     - UDP 10001: Device discovery (for devices)
 1. (Optional) NAT port 443 to 8443 in IPTables: `iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443`
-1. Go to the UniFi downloads page and download for Linux/Debian.
-1. Install: `apt install <?>.deb`
+1. (Alternative 1) Install via repo: See [How to Install and Update via APT on Debian or Ubuntu (UniFi)](https://help.ui.com/hc/en-us/articles/220066768-UniFi-How-to-Install-and-Update-via-APT-on-Debian-or-Ubuntu).
+1. (Alternative 2) Install via downloaded package: Go to the UniFi downloads page and download for Linux/Debian.
 1. Configure:
     - File: `/var/lib/unifi/system.properties`
     - (Optional) Reduce the pre-allocated memory size: `unifi.xms=256`
@@ -46,5 +46,12 @@ Official installation instructions: [UniFi: How to Install & Upgrade the UniFi N
     - UniFi: `/usr/lib/unifi/logs/server.log`
     - MongoDB: `/usr/lib/unifi/logs/mongod.log`
 1. Set up UniFi in the web UI.
+1. (Optional) Usa an existing TLS certificate:
+    1. Stop UniFi.
+    1. Save the full-chain certificate as `fullchain.pem` and key as `privkey.pem`.
+    1. Convert it: `openssl pkcs12 -export -inkey privkey.pem -in fullchain.pem -out cert.p12 -name unifi -password pass:temppass`
+    1. Import it: `keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore cert.p12 -srcstoretype PKCS12 -srcstorepass temppass -alias unifi -noprompt`
+    1. Delete the local files.
+    1. Start UniFi.
 
 {% include footer.md %}

config/network/vyos.md

@@ -112,4 +112,8 @@ An example of a full configuration. Except intuitive stuff I forgot to mention.
 
 Reboot the device and wait for the boot screen. In the boot screen, select the "lost password change (KVM)" option. It will boot to into a prompt asking you to set a new password. After setting a new password, the device will automatically reboot.
 
+## Random Notes
+
+- The DHCPv4 relay requires the interface towards the upstream DHCP server to be included in the relay interfaces. Otherwise the responses from the upstream server will be dropped.
+
 {% include footer.md %}