Author Archives: James Swineson

Juniper SRX as a DHCPv6 PD Client on a PPPoE Interface

Recently my ISP fixed the compatibility issues between their Huawei BRAS and my Junos router. After some digging, I managed to get some IPv6 address allocation for all my client devices. Here’s how I achieved it.

Disclaimer: This article assumes you have basic understanding on IPv6 as we are not going to dig into the very details of the IPv6 standards.

Continue reading

Flux Language Tutorial with Grafana

Flux Language is the shiny new query language that comes with InfluxDB 2.0. Since it is “the future”, and the OSS (free) version of InfluxDB 2.0 is not getting the old query language support in (at least) the first few versions, I’ve been using Flux Language for some new projects. Meanwhile, the (functional) documentation for both the Flux Language and its support in Grafana does not exist yet. In this post, I’d like to give some examples to quickly address common data processing needs, for both server monitoring and simple BI usages.

Continue reading

Interoperating Cisco DMVPN, Huawei DSVPN and OpenNHRP

Traditional point-to-point site-to-site VPN protocols require extensive setup in certain use cases. For example, if you want shortcuts between branch offices rather than let every packet go through the HQ, then you need to set up a cartesian product of tunnels by hand, which is time-consuming and error prone. So, people want something better, something easy to set up and maintain, and dynamic enough. While there are already a lot dynamic point-to-multipoint or full-mesh site-to-site VPN implementations (e.g. Tinc VPN, ZeroTier) on Linux, you don’t have many choices on these commercial black boxes.

Cisco DMVPN (Cisco Dynamic Multipoint VPN) is one solution to this. Huawei also had their DMVPN-compatible solution called DSVPN (Dynamic Smart VPN). Since the protocol is largely compatible, I’ll just reference it as DMVPN.

Continue reading

What the Flow: Reverse Route Modes on Juniper SRX

A SRX is a “security device”, or as we call it conventionally, a firewall. Modern layer-3 firewalls route packets just like a router, but unlike a router, a firewall can organize packets into connections (flows) and run ACLs on the entire flow. This unique functionality is the fundamental building block of every “advanced” security feature offered by a firewall: dynamic NAT (PAT/NPT), zone-based firewall (ZBFW), ACLs for in or out connections only, L7 filtering, etc. For the connection (flow) tracking to work, all the packets in a connection must go through the same device, and the 5-tuple of all the packets in a connection must be of expected values, which usually means:

  • The packets from A to B and the packets from B to A must all go through the firewall at some point
  • There shouldn’t be single-sided stateless NAT happening on the route

This was never an issue when everyone was single-homed and all the routers had only one routing table. But not today. SRXs now have built-in support for virtual routers which can create an asymmetric flow easily. Let’s look at this simplified topology:

Continue reading

Cisco Aironet 1800i: Hardware Detail

Cisco Aironet 1800i is a cute little device that is just a little smaller than my hand. They are light in weight, not very hot (not a good replacement of the old 3502i model if you also have a cat around your home) and require less power to operate. I recently got one 1800i in my room, so I’d like to write a little about this model since it is so different from the old PowerPC-based ones.

Continue reading

Multicast VXLAN for Routers

VXLAN has been around for a while, so how do router vendors support it? Well, let’s use a dead simple topology to test them out.

Our setup today:

  • All routers connected to the same dumb switch using IP range
  • Multicast signaling on address, No PIM
  • VXLAN UDP port 4789
  • Network on VNI 5000 (layer 3 termination / inter-VXLAN routing)

Continue reading

Setting up an ESXi Cluster

So you have a handful of brand new ESXi servers, and want VMs to automagically move here and there based on host availability and resource usage; vCenter have you covered with the DRS and HA but obviously you need to put all the hosts into a cluster for these thing to work. What you might not know is that there are 3 ways of creating a cluster which differs in certain things, and you will regret it if you choose the wrong one. Trust me, I learned it the hard way.

Note: we are using ESXi 7.0 and vCenter 7.0 here.

Continue reading