Back on it – CCNP up for renewal

I passed my JNCIS-SEC back in June 2018 and now I’m gearing up for the 300-206 Cisco SENSS Implementing Cisco Edge Network Security Solutions exam in the upcoming months.

This is an exam I’ve wanted to do for a few years and now my CCNP is up for renewal I’m going to tackle it.

The official Cisco Press book for the course didn’t get released but here is my current list of study material.

 

SRX300 – Signed Driver for USB Console Port

All been a bit quiet here for a while, so just posting a small note to keep the blog flowing.

Normally I connect up to hardware via a USB to Serial Cable. The SRX300, a newer model of the small/medium sized branch Firewall/Router comes with an USB interface. This differs from the USB input port you get for updating firmware. The box ships with a standard USB type A to USB Mini Type B cable (link just for identification purposes) and  I thought i’d test out the on board USB port and supplied cable.

When I connected it up to the laptop, device manager identifies it as Juniper Networks BX Series System Console. When I searched around the web and Juniper website I couldn’t seem to find a driver that would work.

Juniper Networks BX Series System Console
Juniper Networks BX Series System Console

Eventually, I found a site which had a bit of information regarding the on board connection, a SiLabs USB->RS232 interface. And reference that Juniper has used a modified version of the chipset driver. In the link below there is a driver that has been signed by the author and instantly the driver worked for me. So worth a look, that being said, you can’t beat your good old USB-Serial console port but handy if you ever forget it on the road!

COMport
COMport Identified in Device Manager
SRX300 with supplied USB console cable
SRX300 with supplied USB console cable

Juniper SRX300 and SRX340 USB driver

Lab Network Infrastructure

As well as working on the “Automation Lab Project” I’ve been busy documenting the LAB infrastructure I’ve built up at home. When I start to study, I’ll be using GNS3 and Juniper Olive VMs to learn with, and also have access to the Physical Juniper Router.

When I was studying for CCNP, I did a similar thing where I connected up real kit to GNS3 using a breakout switch and it worked quite well. What I didn’t do very well is keep track of my configurations and any changes I made. This time round I wanted to try again and ensure that I document what I do.

As an added extra I wanted to keep track of my LAB configurations so I looked into building a Raspberry Pi with RANCiD, a tool that backups network configurations and you can also run diffs against the changes made. I found a really good YouTube video here from a lecture at SAINTCon 2015 and just followed the steps.

Watching the video I found out about a really good Raspberry Pi OS called DietPi. Installing software for it is fairly easy, and there is a really good backup system. As I’m still getting to grips with Administrating Linux it’s been really handy being able to backup/restore quickly, when trying out new things. Below is a screenshot of the front end to RANCiD on the Pi.

Static route added
GIT – Web Front End on Raspberry Pi

The tutorial uses a newer version of Rancid that I’m used to and opts for GIT instead of CVS to diff the configurations. Since I’ve been learning a little bit more about how GIT works, I’ve found out from a Dev friend that you can push your GIT to multiple remote repositories using GIT remotes. So using a bash script and cron job, I’m able to PUSH the configurations up to a remote GIT site as well as keeping a copy locally and on USB (via dietpi-backup).

Testing the LAB

So far, I’ve been testing small topologies in GNS3 with the Cisco IOS routers in GNS3 and it’s working well. Out of the 8 Cisco devices you can see below, they all backed up correctly.

The Raspberry PI on the physical network can access the GNS3 lab and can back up the configurations. What may complicate the Juniper SRX lab configs will be ensuring that the LAB can get to the 192.168.1.0/24 network so that they can all backup – we’ll see.

I wrote up some notes during the Raspberry Pi installation as it was a bit hit as miss at times – so I’ll write up a post in the future.

GNS3 Test Topology – RANCiD

Study for the JNCIS-SEC

As I prepare for the JCNIS-SEC exam I’m hoping to be able to use this LAB infrastructure as a way to keep track of configurations when I’m using GNS3, and also keep practicing. I’ve got the Juniper book Juniper SRX Series to read through and Juniper Security, to accompany it.

The RANCiD backups might be a little bit overkill at this point but it should help with learning the structure of configurations. I’m pretty sure a lot of my time is going to be understanding NAT and Firewall Polices over the next few months and at some point I need to review my MPLS knowledge so it should help with amount of router configs.

LAB Diagram and Photos

LAB Infrastructure
LAB Infrastructure
Juniper SRX210HE and Cisco c2960
Raspberry Pi 2 running DietPi, USB backup storage and RANCiD
Coredy USB 3.0 Hub with 100/1000 Network Card

Exam Update

As my JCNIS-SEC exam is coming up this year, preparations are being made to ensure my exam is a successful one. My copy of Juniper SRX Series by Brad Woodberg arrived last week and I’m awaiting my copy of Junos Security, due to arrive shortly.

SRX210HE

Late last year I bought myself some SRX hardware, a SRX210HE. There are a few versions of the SRX210, and when I was choosing some hardware on ebay I wanted to make sure I chose a high memory version.

SRX210 Services Gateway Models
SRX210 Services Gateway Models

My physical Juniper Lab is going OK. I had a few snags when setting up the physical SRX2010, more of a learning experience than anything else. I managed to lock myself out of the device, and was unable to reset to factory default configuration. Why? Because I wiped over the rescue configuration – d’oh. Then, getting back via user recovery mode wouldn’t work and the root account was blocked, what I believe is single user recovery mode.

I ended up trawling the Juniper Forums and then having to flash the device. To be honest it was pretty fun, even if I did think I’d turned my SRX into a £180 brick! I’ve prepared a post detailing the steps taken, it’s in draft and will be up in good time.

“Automation Lab” Project

Automation Lab Project

This time last year, I knew nothing about GIT, GITHub, BitBucket, Ansible or Vagrant and my Linux foo skills were a bit low on the ground. Now, after spending a bit more time reading/testing and practicing with some “on the job skills” every day, I know a little bit more than I did.

Generally I use GNS3 to create Labs and use a combination of VMs/Cisco IOS images/Real kit to lab things up. With my JNCIS-SEC exam coming up, I want to create some Labs using a combination of Real Kit and some Juniper Olive Images.

Problems faced when I created labs in the past:

  • Accommodating kit at home is costly to run and takes up a lot of room!
2015 CCNP Rack
My 2015 CCNP Rack
  • Storing my configurations/projects can become a pain (Several GNS3 Projects scattered)
  • Sometimes I’ll make changes to configurations, close down then forget what I’ve changed
  • Creating similar configurations for 10 routers etc can be a real drag (I don’t want to pay for Cisco VIRL yet) and there doesn’t seem to be a VIRL equivilent for Juniper
  • Building a Linux VM (DNS Services, Endpoints, Web Servers) for use in the lab involves downloading the ISO and installing everything

What goals do I want to achieve here:

  • Solve a few of the “problems” mentioned above using DevOps tools and general network tools
  • Create a GIT repository for Network Scripts
  • Build a Vagrant Box containing the DevOps tools
  • Get to grips with Netmiko and Python to perform tasks on a network
  • Build up a framework to create network templates using Jinja2 template language
  • Explore the features of using Ansible to orchestrate changes to a router (Juniper or Cisco)
  • Have a method of saving configurations and viewing any changes that have been made (Diffs)

What is the project exactly?

At the moment It’s just a set of goals that I want to achieve, to help me become a better network engineer and aid myself with getting my JNCIS-SEC exam. I’ve already started putting some work into a BitBucket private repo that has been going on for the past 6 months and once that’s in better shape I’ll get it released.

Icinga 2 & DigitalOcean

Recently I created an account with a cloud provider you have probably heard of – DigitalOcean. You can spin up a virtual machine in seconds for as little as $5 per month.

To learn a bit more about Icinga2, I’ll be using a DigitalOcean server to build a Icinga2 box and use an install guide I found here: link

I’ll likely put up some posts soon – focusing some of the existing Cisco/Juniper SNMP checks.

SRX210

I’ve just purchased an SRX210HE2 from Ebay and planning to use it to help with my JNCIS-SEC studies.

This device is a firewall and a router and the model is listed as SRX210 Services Gateway High Memory (Enhanced performance). I chose this model as I wanted the ability to connect it to my FTTC (VDSL) connection, have the line operate at full capacity (80mbps) and be able to practice VPN configurations on the internet boundary.

You can pick this model up in Ebay for £140+, look out for what type it is as some come with extra memory, POE cards and ASDSL slots. In further posts I’ll write up my LAB topology.