Add TMP Juniper stuff

networking/cisco-aci.md

@@ -14,6 +14,7 @@ breadcrumbs:
 
 ### Relation to SDA
 
+- ACI is for DC while SDA is for campus/enterprise.
 - Both are zero-trust platforms/fabrics with VXLAN-based overlays.
 - SDA is part of Cisco DNA, ACI is its own thing.
 - SDA is managed by DNA Center, ACI is managed by APIC.
@@ -22,4 +23,6 @@ breadcrumbs:
 
 ## Theory
 
+
+
 {% include footer.md %}

networking/cisco-sda.md

@@ -21,7 +21,7 @@ breadcrumbs:
 
 - Show AP tunnels for edge: `show access-tunnel summary`
 
-## Architecture
+## Theory
 
 - SDA consists of Cisco DNA Center (DNAC) and a campus fabric of DNAC-managed switches. Cisco ISE is also used for policy design and operation.
 - Segmentation:

networking/juniper-ex.md

@@ -127,8 +127,9 @@ Example for setting up base system for a simple L2 switch.
     - `delete chassis auto-image-upgrade`
 1. Set new root password:
     - `set system root-authentication plain-text-password` (prompts for password)
+1. (Optional) Commit (stop the auto-upgrade spam etc.).
 1. Setup a non-root user:
-    - `set system login user <user> [full-name <full-name>] class super-user authentication plain-text-password` (prompts for password)
+    - `set system login user <user> [full-name "<full-name>"] class super-user authentication plain-text-password` (prompts for password)
 1. Setup SSH:
     - Enable server: `set system services ssh`
     - Disable root login from SSH: `set system services ssh root-login deny`
@@ -201,16 +202,15 @@ Example for setting up base system for a simple L2 switch.
     - (Note) There generally is no reason to not enable this on all ports, however, there may be certain devices or protocols which don't play nice with EEE (due to poor implementations).
     - Enable on RJ45 Ethernet interface: `set interface <if> ether-options ieee-802-3az-eee`
 1. (Optional) Configure RSTP:
-    - (Note) RSTP is the default STP variant for Junos.
+    - (Note) RSTP is enabled for all interfaces by default.
     - Enter config section: `edit protocols rstp`
-    - (ELS) Set interfaces: `set interfaces all` (or specific)
-    - Set priority: `set bridge-priority <priority>` (default 32768, should be a multiple of 4096, use e.g. 32768 for access, 16384 for distro and 8192 for core)
-    - Set hello time: `set hello-time <seconds>` (default 2s)
-    - Set maximum age: `set max-age <seconds>` (default 20s)
-    - Set forward delay: `set forward-delay <seconds>` (default 15s)
-    - **TODO** `edge` for access ports?
-    - **TODO** Guards, e.g. `bpdu-block-on-edge` or something.
-    - **TODO** Enabled on all interfaces and VLANs by default?
+    - Set interfaces: `set interfaces all` (example)
+    - (Optional) Set priority: `set bridge-priority <priority>` (default 32768, should be a multiple of 4096, use e.g. 32768 for access, 16384 for distro and 8192 for core)
+    - (Optional) Set hello time: `set hello-time <seconds>` (default 2s)
+    - (Optional) Set maximum age: `set max-age <seconds>` (default 20s)
+    - (Optional) Set forward delay: `set forward-delay <seconds>` (default 15s)
+    - Set edge ports: `wildcard range set protocols rstp interface ge-0/0/[2-5] edge` (example)
+    - Enable BPDU guard on all edge ports: `set protocols rstp bpdu-block-on-edge`
 1. Configure SNMP:
     - (Note) SNMP is extremely slow on the Juniper switches I've tested it on.
     - Enable public RO access: `set snmp community public authorization read-only`

networking/juniper-junos.md

@@ -218,7 +218,22 @@ Wait for the "The operating system has halted." text before pulling the power, s
     - Statistics: `show interfaces statistics`
     - All details: `show interfaces detail`
     - Physical details: `show interfaces media`
+- Show switching/VLAN details for interface: `show ethernet-switching interface`
 - Show LLDP neighbors: `show lldp neighbors`
+- Show DHCP client:
+    - Show binding: `show dhcp client binding`
+    - Show stats: `show dhcp client statistics`
+
+### IPv6 Neighbor Discovery (ND)
+
+- Disallow solicitations from remote prefixes (config): `set protocols neighbor-discovery onlink-subnet-only`
+
+### DHCPv4 Server
+
+- Note that newer Junos versions use a different DHCP setup (JDHCP), with pool settings inside `access address-asignment`.
+- Show clients: `show dhcp server binding`
+- Show client detauls: `show dhcp server binding <address> detail`
+- Show stats: `show dhcp server statistics`
 
 ### Events
 
@@ -282,14 +297,6 @@ Note: USB3 drives may not work properly. Use USB2 drives.
 1. Cleanup old files: `request system storage cleanup`
 1. Make sure the alternate partition contains a working copy of the current version: See [Validate the Partitions](#validate-the-partitions).
 
-#### ISSU and NSSU
-
-Just info, no instructions here yet.
-
-- ISSU and NSSU may be used for upgrade without downtime, if the hardware supports it.
-- If using redundant hardware (multiple REs), ISSU may be use for upgrades without downtime. It may blow up. One RE is upgraded first, then state is transferred to it. Normal upgrade with reboot is more reliable if short downtime is acceptable.
-- If using virtual chassis, NSSU is similar to ISSU but doesn't require the same kind of state sync.
-
 #### Normal Method
 
 This should work in most cases and is the most streamlined version, but may not work for major version hops and stuff.
@@ -301,18 +308,19 @@ This should work in most cases and is the most streamlined version, but may not
 1. If copying from a USB drive:
     1. Format the USB drive using FAT32 and copy the software file to the drive.
     1. Enter shell mode on the device: `start shell user root`
-    1. Mount the USB drive:
-        - See [mount a USB drive](#mount-a-usb-drive).
-        - TL;DR: `mkdir /var/tmp/usb0 && mount_msdosfs <device> /var/tmp/usb0`
+    1. Mount the USB drive: `mkdir /var/tmp/usb0 && mount_msdosfs /dev/da1s1 /var/tmp/usb0`
+        - See [mount a USB drive](#mount-a-usb-drive) for details.
     1. Check the contents (copy the filename for later): `ls -l /var/tmp/usb0`
     1. Copy the file to internal storage: `cp /var/tmp/usb0/jinstall* /var/tmp/`
     1. Unmount and remove the USB drive: `umount /var/tmp/usb0 && rmdir /var/tmp/usb0`
     1. Enter operational CLI again: `exit` (or `cli`)
-1. Prepare upgrade: `request system software add <file> no-copy unlink reboot`
+1. Prepare upgrade: `request system software add /var/tmp/<file> no-copy unlink reboot [force-host]` (supports auto-complete)
     - `no-copy` prevents copying the file first (in this case it's pointless).
     - `unlink` removes the file afterwards.
     - `reboot` reboots the device, so the upgrade can begin when booting.
     - If it complains about certificate problems, consider disabling verification using `no-validate`.
+    - For virtualized devices, add `force-host` to upgrade the host too.
+    - If the date is significantly wrong on the device and NTP isn't used/synced, set it manually with `set date <YYYYMMDDhhmm>` first so validation doesn't fail.
     - It may produce some insignificant errors in the process (commands not found etc.).
 1. See [Validate the Partitions](#validate-the-partitions).
 
@@ -324,11 +332,13 @@ If the normal method did not work, try this instead.
 1. Connect using a serial cable.
 1. Reboot the device and press space at the right time to enter the loader.
     - The message to wait for should look like this: `Hit [Enter] to boot immediately, or space bar for command prompt.`
-1. Format and flash: `install --format file:///jinstall-whatever.tgz` (where you placed it previously)
+1. Format and flash: `install --format file:///jinstall-whatever.tgz` (with correct name, no `/var/tmp/`)
 1. See [Validate the Partitions](#validate-the-partitions).
 
 #### Validate the Partitions
 
+Do this before as a check and after to make sure the new image is working and copied to both partitions.
+
 1. Log into the CLI.
 1. Verify that the system is booted from the active partition of the internal media: `show system storage partitions` (should show `Currently booted from: active`)
 1. Verify that the current Junos version for the *primary* partition is correct: `show system snapshot media internal`
@@ -337,6 +347,14 @@ If the normal method did not work, try this instead.
     - If the command fails, wait a bit and try again. The copy may still be happening in the background.
 1. (Info) To boot from the alternative partition: `request system reboot slice alternate media internal`
 
+#### ISSU and NSSU
+
+Just info, no instructions here yet.
+
+- ISSU and NSSU may be used for upgrade without downtime, if the hardware supports it.
+- If using redundant hardware (multiple REs), ISSU may be use for upgrades without downtime. It may blow up. One RE is upgraded first, then state is transferred to it. Normal upgrade with reboot is more reliable if short downtime is acceptable.
+- If using virtual chassis, NSSU is similar to ISSU but doesn't require the same kind of state sync.
+
 ### Fix a Corrupt Root Partition
 
 If one of the root partitions get corrupted (e.g. due to sudden power loss),

networking/juniper-srx.md

@@ -126,9 +126,10 @@ SRX-specific information, see the Junos page for general information.
 - The default mode on most newer devices/versions is switching mode.
 - Switching mode:
     - Basically L3 mode. Pretty similar to L3 switches, with VLANs and RVIs.
-    - Uses IRB interfaces in security zones.
-    - Does not enforce policy on intra-VLAN traffic.
+    - Uses IRB/routed interfaces in security zones, forwarding the flow through the flow architecture.
+    - Does not enforce policy on intra-VLAN traffic. Intra-VLAN traffic is forwarded directly on the Ethernet chip.
     - Supports LACP.
+    - The number of VLANS is limited by hardware. SRX300 supports 1000 VLANs.
 - Transparent mode:
     - Basically L2 mode.
     - The firewall acts like an L2 switch connected inline in the infrastructure, allowing simple integration without modifying routing and protocols.
@@ -141,9 +142,40 @@ SRX-specific information, see the Junos page for general information.
 
 ### Security Zones
 
-- On SRX firewalls, you assign interfaces to security zones. **TODO** All interfaces must be assigned a zone and a zone may have zero or multiple interfaces?
-- *Security zones* are the main type of zone.
-- *Function zones* are for special purposes. Only the management zone ("MGT") is currently supported and does not allow exchanging traffic with other zones.
-- The default policy is to deny traffic both intra-zone and inter-zone.
+- On SRX firewalls, you must assign interfaces to a security zone.
+- *Security zones* are the main type of zone, whereas *function zones* are for special purposes. Only the management zone ("MGT") is currently supported and does not allow exchanging traffic with other zones.
+- The default policy is to deny traffic both intra-zone and inter-zone. Interfaces not assigned to a zone are part of the *null zone*, where no traffic may pass.
+- To allow traffic between zones, you must define a security policy between the zones.
+- To allow traffic to the firewall itself (e.g. ICMP, DHCP, SSH), you must configure it under `host-inbound-traffic` for the zone. NDP is enabled by default.
+- Commands:
+    - Show security zones: `show security zones`
+
+### Security Policies
+
+- Policies are handled using first-match.
+    - Reorder existing policies (example): `insert security policies from-zone trust to-zone untrust policy permit-mail before policy permit-all`
+
+### Security Screens
+
+- Used to screen traffic and drop suspicious stuff.
+
+### Address Books
+
+- Address book may be defined globally or within a zone, containing entries as groups of network prefixes.
+- The global book (`global`) is used for all security zones, for NAT configs and for global policies.
+- Default entries: `any`, `any-ipv4`, `any-ipv6`
+- Address sets may contain both IPv4 and IPv6 addresses from the same zone. Sets may also contain other sets.
+- Limitations:
+    - Address sets may contain at maximum 16384 entries and 256 sets.
+    - The harware model limits how many address objects a security policy can reference. For SRX300, this is 2048.
+    - Limit-wise, an IPv6 address is counted as 4 IPv4 addresses.
+- Examples:
+    - Define single address: `set security address-book global address HOST4_DNS_srv 10.0.0.10/32`
+    - Define range: `set security address-book global address RNG4_DNS_srv range-address 10.0.0.10 to 10.0.0.11`
+    - Define DNS name: `set security address-book global address FQDN4_yolo dns-name example.net`
+
+### Security Policies
+
+- Source and destination addresses may be negated using `source-address-excluded` and `destination-address-excluded`.
 
 {% include footer.md %}