Category: Networking

VMware VCP-NV certification (VMware NSX-v)

VCP-NV  (VMware Certified Professional – Network Virtualization) certification. I did VCP-NV this month and here are my ‘few’ words about it based on my little knowledge 🙂 .

Just to recap.. VMware vSphere provides two virtual switches – standard vSwitch and vSphere Distributed Switch (VDS).   Standard vSwitch is created/managed at per host (ESXi host) level.  Distributed Switch is created at vCenter level and the same can be deployed to all the host(s) managed by the vCenter. It is like create once and deploy the same across all the hosts in the cluster. Distributed Switch needs Enterprise plus license and comes with lot more features than standard vSwitch.

Though there is already virtual switches present in the vSphere product, it does not provide actual/complete network virtualization. It is required to depend on the physical devices change  (For e.g. a new network (VLAN) is created). Also traffic between two networks needs to go to physical network and comes back to ESXi host even though both the networks are residing in the same ESXi host. There are many usecases like this.  There were missing items in VMware vSphere environment to fill in SDN/overlay technologies.

VMware did good decision, (I think so), to acquire Nicira and there comes network virtualization platform “VMware NSX“.   VMware NSX comes in two flavours NSX-v (for vSphere environment) and NSX-mh (for multihypervisor environment).  This certification covers only NSX-v.

I skipped VCA-NV and directly did VCP-NV as I have a valid Cisco certification currently (See Path 3 from VCP-NV certification page).

“Path 3: Valid CCNA Data Center or CCNA Routing & Switching or CCNP Data Center or CCNP Routing & Switching certification or CCIE Data Center or CCIE Routing & Switching. Note: This path is only available until January 31, 2016” – from VMware VCP-NV page

Here are some suggestions for exam preparation.

1. Take free self paced training from VMware about VMware Network Virtualization Fundamentals

2. Check out exam blueprint 

3. Understand VMware NSX from “VMware NSX Network Virtualization Design Guide” .  This guide contains everything you to know about NSX in general and pass the exam.

4. There are two courses available in Pluralsight.com  by Jason Nash about VMware NSX. You will find it very useful.

VMware NSX for vSphere Introduction and Installation by Jason Nash

VMware NSX for vSphere: Network Services by Jason Nash

If you are not ready to view the whole series, you can watch selected portions where you have confusions

( Pluralsight offers 10 free days (up to 200 minutes) to view their videos. )

5. Take a practice exam at VMware site and see how much you can score.

6. Makeuse of VMware Hands On Labs (HOL)

Image Courtesy: VMware (design guide) – Diagram explains the sequence of steps to prepare the NSX vSphere environment.

Hope you find this post useful!

 

Try Junos OS with Juniper Networks’s vSRX virtual firewall – Simple Topology

Hi! My last post gives an overview about how to prepare for JNCIA certification and get started with Junos OS. This post is for the people who are looking to get some hands on with Junos OS devices.

If you do not have access to real physical Juniper devices, you can try Juniper Networks’s vSRX (formely known as Firefly Perimeter) virtual firewall.

Download and deploy the virtual appliance in VMware ESXi

You can download (evaluation download) vSRX VMware/KVM virtual appliance here.   Please refer vSRX documentation to know about vSRX, its features, download/install instructions and initial configuration etc.

In this post, I intend to introduce vSRX to those who have not heard about it ( I think I am already done 🙂 ) and like to discuss how to setup simple OSPF topology with the vSRX deployed inside the VMware ESXi host.

Topology

Three vSRX VMs and OSPF is running in the vSRX.

The above screenshot is taken from Junos Space Network Management Platform’s Network Monitoring topology (Powered by OpenNMS).

 Setup

Three vSRX virtual appliances have been deployed in ESXi hosts.

  1. sulaiman_fp1_10
  2. sulaiman_fp2_11
  3. sulaiman_fp3_12

I have added one extra vNIC on all the vSRXs. By default it comes with 2 vNICs.  You can add up to 10 vNICs.

I used ge-0/0/0.0 interface as management interface on all the vSRX and hence the  Network Adapter 1 (ge-0/0/0.0 interface) is assigned to the port-group configured in the vSphere Standard Switch which has uplink to  physical switch.

All the initial configuration on the vSRX is done (i.e root password, default static route etc.)  Please refer above documentation link if you have difficulty in setting up the initial configuration.

VMware Standard Switch

vSphere has many types of virtual switches (i.e Standard Switch, Distributed Switch and NSX Logical switch)

To form a OSPF topology with three network segments as show in above topology, I have used  Standard Switch by creating three vSwitches and configured one port-group each in it.

You can also create a single vSwitch and configure three port-groups with different VLAN ID.

The remaining network adapters of vSRX are assigned to appropriate port-group based on the network segments (See below).

There are no uplinks required for these port-groups as traffic between these network segments will never leave the host (hypervisor).  vSRX will route traffic between them!

  1. 10.10.10.0/24 Between sulaiman_fp1_10 (ge-0/0/1.0) and sulaiman_fp2_11 (ge-0/0/1.0)
  2. 172.16.0.0/24 Between sulaiman_fp1_10 (ge-0/0/2.0) and sulaiman_fp3_12 (ge-0/0/1.0)
  3. 172.31.0.0/24 Between sulaiman_fp2_11 (ge-0/0/2.0) and sulaiman_fp3_12 (ge-0/0/2.0)

 Interface configuration snippet

sulaiman_fp1_10

root@sulaiman_fp1_10> show version 
Hostname: sulaiman_fp1_10
Model: firefly-perimeter
JUNOS Software Release [12.1X47-D20.7]
root@sulaiman_fp1_10> show configuration | display set | match "unit 0" 
set interfaces ge-0/0/0 unit 0 family inet address 10.155.80.10/20
set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.10/24
set interfaces ge-0/0/2 unit 0 family inet address 172.16.0.10/24
set interfaces lo0 unit 0 family inet address 1.1.1.1/32

sulaiman_fp2_11

root@sulaiman_fp2_11> show configuration | display set | match "unit 0" 
set interfaces ge-0/0/0 unit 0 family inet address 10.155.80.11/20
set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.11/24
set interfaces ge-0/0/2 unit 0 family inet address 172.31.0.11/24
set interfaces lo0 unit 0 family inet address 2.2.2.2/32

sulaiman_fp3_12

root@sulaiman_fb3_12> show configuration | display set | match "unit 0" 
set interfaces ge-0/0/0 unit 0 family inet address 10.155.80.12/20
set interfaces ge-0/0/1 unit 0 family inet address 172.16.0.12/24
set interfaces ge-0/0/2 unit 0 family inet address 172.31.0.12/24
set interfaces lo0 unit 0 family inet address 3.3.3.3/32

IMPORTANT: vSRX is firewall, so configure security-zones and allow needed traffic between the zones. If you do not require vSRX to run in flow mode, you can disable the flow mode.

Sample configuration snippet to configure security-zones

set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic protocols ospf
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services any-service
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services any-service
set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services any-service
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services snmp

Above snippet should be self explanatory. Most of the configuration will comes as default factory settings. You can see management interface ge-0/0/0.0 is bound to untrust zone and only the management related traffic is enabled.  Pay attention to this config if you find something is not working in your environment.

 Configure single area OSPF

It is very straightforward!

root@sulaiman_fp1_10> show configuration | display set | match ospf 
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 passive
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0
set protocols ospf area 0.0.0.0 interface ge-0/0/2.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set security zones security-zone trust host-inbound-traffic protocols ospf

Note: ge-0/0/0.0 and loopback interface is configured as passive OSPF interface. Loopback address will be the router-id.

root@sulaiman_fp1_10> show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
10.10.10.11      ge-0/0/1.0             Full      2.2.2.2          128    38
172.16.0.12      ge-0/0/2.0             Full      3.3.3.3          128    33
root@sulaiman_fp2_11> show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
10.10.10.10      ge-0/0/1.0             Full      1.1.1.1          128    36
172.31.0.12      ge-0/0/2.0             Full      3.3.3.3          128    33
root@sulaiman_fb3_12> show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
172.16.0.10      ge-0/0/1.0             Full      1.1.1.1          128    39
172.31.0.11      ge-0/0/2.0             Full      2.2.2.2          128    34
root@sulaiman_fb3_12> show route protocol ospf    

inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32         *[OSPF/10] 3w0d 18:00:17, metric 1
                    > to 172.16.0.10 via ge-0/0/1.0
2.2.2.2/32         *[OSPF/10] 3w0d 18:00:07, metric 1
                    > to 172.31.0.11 via ge-0/0/2.0
10.10.10.0/24      *[OSPF/10] 3w0d 18:00:07, metric 2
                    > to 172.16.0.10 via ge-0/0/1.0
                      to 172.31.0.11 via ge-0/0/2.0
224.0.0.5/32       *[OSPF/10] 3w0d 18:01:32, metric 1
                      MultiRecv

root@sulaiman_fb3_12> ping 10.10.10.11 
PING 10.10.10.11 (10.10.10.11): 56 data bytes
64 bytes from 10.10.10.11: icmp_seq=0 ttl=63 time=10.338 ms
64 bytes from 10.10.10.11: icmp_seq=1 ttl=63 time=10.426 ms
^C
--- 10.10.10.11 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 10.338/10.382/10.426/0.044 ms

Configure LLDP

In the topology diagram shown above, in addition to OSPF link, LLDP links also got discovered. To configure LLDP

root@sulaiman_fp1_10> show configuration | display set | match lldp    
set protocols lldp interface ge-0/0/1.0
set protocols lldp interface ge-0/0/2.0
root@sulaiman_fp1_10> show lldp neighbors 
Local Interface    Parent Interface    Chassis Id          Port info          System Name
ge-0/0/1.0         -                   4c:96:14:3e:12:80   ge-0/0/1.0         sulaiman_fp2_11     
ge-0/0/2.0         -                   4c:96:14:78:91:80   ge-0/0/1.0         sulaiman_fb3_12

topo_lldp_10_11

Hope you find this post useful! Enjoy Network Virtualization!

Bonus Tips: If you have prior experience in ScreenOS, you can take a web based training “Junos as a Security Language

If you find any errors in the post, please contact me. I will be happy to correct it.

CCNA and then JNCIA

It has been long time since I wrote certification exam. The last one I did was SCJP 1.4 (Java Certification in 2007).

My work is based on Network Management System (NMS), I was planning to give some network certifications for many years but could not do it due to work/family/masters degree commitments…

To start on this plan, I did CCNA R&S on February 2015 and JNCIA on April 2015.  Alhamdulillah.

Here are details about my JNCIA preparation which might help someone.

Take a look at Juniper Networks fast track certification program Click here

The syllabus of JNCIA (Junos) is not heavy as CCNA. JNCIA (Junos) is the first level certification and it is the Pre-requisite for all other Juniper Networks certifications.

JNCIA exam covers

  • Networking Basics – OSI, TCP/IP, Subnetting, etc..
  • Junos OS – You will love the beauty of Juniper Networks Junos OS CLI and its cool features!
  • Routing Fundamentals
  • Routing Policy
  • Firewall Filters – Like Access list in Cisco IOS

How did I prepare for this exam ?

#1) Take Juniper Networks Web Based Training (Free)

Networking Fundamentals – WBT  – It is worth taking this self paced training. It will help review the network fundamentals. Even if you are CCNA certificated, this training will help review basics.

Junos as a Second Language-WBT – Know the Junos OS CLI in this training.

#2) Day One guides

Juniper Networks provides great free Day One guides.  Below two guides will be useful for this course.

Day One: Exploring the Junos CLI

Day One: Junos for IOS Engineers – If you know Cisco IOS already, download this pdf.

#3) Free JNCIA Study Resources

Download the two small pdfs from fast track portal and understand the concepts.

JNCIA-Junos-P1_2012-12-19.pdf and JNCIA-Junos-P2_2012-12-20.pdf

#4) Take a practice exam at here

#5) Take pre-assessment exam to get exam discount (you will get 50% exam discount voucher).  You can take  pre-assessment exam as many as times you like.

#6) If you have Android/iPhone/iPad device, download Junos Genius App and practice the questions in it.

#7) If you find difficult to answer questions from any of the topics, then study those topics alone from old jncia study guide pdf.  I had difficulty in understanding Routing Policy, so I just study that chapter alone from this study guide.

You may need an account to download/view any of the above resources, so register for a login. It is again free :-).

Exam fee of JNCIA is 100$ and you will get 50% discount on successful pre-assesment exam. So fee will be 50$.

That’s it. You are good to go.  Book JNCIA exam and get JNCIA certified 🙂

Bonus Tips: If you need hands on experience in Junos device, you can download Juniper vSRX and deploy it in VMware ESXi/KVM.  Enjoy practicing Junos OS CLI!