Juniper ScreenOS IPv4 vs. IPv6 Throughput Tests

And finally the throughput comparison of IPv6 and legacy IP on a Juniper ScreenOS firewall. Nobody needs this anymore since they are all gone. ;) But since I did the same speedtests for Palo Alto and FortiGates I was interested in the results here as well.

Continue reading Juniper ScreenOS IPv4 vs. IPv6 Throughput Tests

Juniper ScreenOS VPN Speedtests

Just for fun some more VPN throughput tests, this time for the late Juniper ScreenOS firewalls. I did the same Iperf TCP tests as in my labs for Fortinet and Palo Alto, while I was using six different phase1/2 proposals = crypto algorithms. The results were as expected with one exception.

Continue reading Juniper ScreenOS VPN Speedtests

Juniper ScreenOS Initial Cleanup Config

I still like the Juniper ScreenOS firewalls such as the SSG 5 or the SSG 140. However, they are End of Everything (EoE) and not used at the customers anymore. But they still do their job in basic networking (static/dynamic routing such as OSPF & BGP, IPv6, NAT), basic firewalling (access policies), and IPsec VPN. Hence I am using a couple of SSGs in my lab when playing with routing protocols and so on.

After a factory reset of those firewalls there are some default settings such as zones at a few interfaces and default IP addresses. Therefore I put the following commands together in order to cleanup the default config to have only IP addresses and default routes which is a good starting point for lab configurations. Let’s go:

Continue reading Juniper ScreenOS Initial Cleanup Config

Dump1090 ADS-B Stats

Genau das Richtige für mich: Viele Statistiken bzgl. des ADS-B Empfangs. Konkret laufen diese dump1090-tools lokal auf dem Raspberry Pi und werten das Log von dump1090-mutability aus. (Siehe meinem letzten Post zur Installation von dump1090.) Vorallem die Statistiken über die Anzahl der empfangenen Flugzeuge sowie den Empfangsbereich sind einfach zu verstehen und sehr interessant.

Die Installation dieser Tools ist ebenfalls sehr einfach – nur wenige Befehle. (Auch wenn ein alter Raspberry Pi 1 B dann über 30 Minuten zum Ausführen braucht.) Ziemlich out-of-the-box werden dann im 5 Minuten Takt neue RRDtool Grafiken erzeugt. Los geht’s:

Continue reading Dump1090 ADS-B Stats

ADS-B am Raspberry Pi: dump1090-mutability

Bereits seit einigen Jahren setze ich einen DVB-T Stick zum Empfang von ADS-B Daten an einem Raspberry Pi ein. Damals habe ich erklärt, wie man die Linux Software dump1090 dafür verwendet. Der seit dem von mir verwendete Fork auf GitHub von MalcolmRobb wird allerdings seit Jahren nicht mehr weiterentwickelt. Nach einiger Recherche bin ich auf den Fork dump1090-mutability gestoßen, welcher sich von MalcolmRobbs ableitet. “It adds new functionality and is designed to be built as a Debian/Raspbian package.”

Tatsächlich lässt sich dieses Tool sehr einfach installieren, was ich nachfolgend gerne erläutern möchte. Die erweiterten Funktionlitäten sind z.B: die Logging-Möglichkeiten, mit denen sich Statistiken erzeugen lassen. Hierüber wird es einen extra Blogpost geben.

Continue reading ADS-B am Raspberry Pi: dump1090-mutability

ADS-B Empfangsbereich mit dem FlightAware Pro Stick erweitern

Es war mal wieder Zeit für ein bisschen Bastelarbeit an meinem Dauerprojekt ADS-B. Letztes Jahr hatte ich zunächst eine DIY-Antenne und schließlich eine bei eBay gekaufte Antenne für den Empfang der Flugzeugdaten gebastelt und getestet. Dieses Mal war der DVB-T Stick an der Reihe, der durch den “FlightAware Pro Stick” ersetzt wurde, welcher über einen eingebauten Vorverstärker in der entsprechenden Frequenz verfügt. Zusätzlich habe ich noch den ebenfalls von FlightAware hergestellten Mode-S 1090 MHz Bandpass Filter für ADS-B mit eingebaut, welcher für weniger Rauschen im Frequenzbereich drum herum sorgt.

Beides zusammen hat ein weiteres Mal für einen erheblich besseren Empfang bei gleicher Antenne und Position gesorgt. Das schöne an der Sache: Der Stick hat direkt und ohne irgendeine Konfiguration funktioniert, da er ebenfalls als normaler DVB-T Stick von Linux und von der verwendeten dump1090 Software erkannt wurde.

Continue reading ADS-B Empfangsbereich mit dem FlightAware Pro Stick erweitern

Palo vs. Forti: Blog Stats

I want to talk about a fun fact concerning my blog statistics: Since a few years I have some “CLI troubleshooting commands” posts on my blog – one for the Palo Alto Networks firewall and another for the FortiGate firewall from Fortinet. If you are searching on Google for something like “palo alto cli commands” or “fortigate troubleshooting cli” my blog is always listed amongst the first 2-4 results.

But for some reasons the article for Fortinet has much more hits. I don’t know why but I have two different ideas. What do you think?

Continue reading Palo vs. Forti: Blog Stats

Palo Alto Aggregate Interface w/ LACP

Since PAN-OS version 6.1 the Palo Alto Networks firewall supports LACP, the Link Aggregation Control Protocol which bundles physical links to a logical channel. Palo Alto calls it “Aggregate Interface Group” while Cisco calls it EtherChannel or Channel Group. I configured LACP for two ports connected from a Palo Alto firewall to a Cisco switch. Following are the configuration steps for both devices as well as some show commands.

Continue reading Palo Alto Aggregate Interface w/ LACP

Palo Alto LLDP Neighbors

I just configured LLDP, the Link Layer Discovery Protocol, on a Palo Alto Networks firewall. What I really like about those firewalls is the completeness of configuration capabilities while the possibility to use it easily. Everything can be done via the GUI, even the view of neighbors/peers. Per default, only a few TLVs are sent by the Palo, but this can be extended by using LLDP profiles.

Following are a few configuration screenshots from the Palo as well as the config and show commands from a Cisco switch.

Continue reading Palo Alto LLDP Neighbors

Wireshark Layer 2-3 pcap Challenge Answers

A few weeks ago I published a pcap file along with many challenges in order to invite anyone to download and to solve it. Though there are not that many answers posted in the comment section I hope that the trace file will help many people understanding the layer 2/3 protocols or to work with it during CCNP exam preparation.

Following are my answers to the 46 challenges I posted back then. I’ll not only give you the mere results but many Wireshark screenshots with some notes on how to get them. Here we go:

Continue reading Wireshark Layer 2-3 pcap Challenge Answers

Basic Cisco Configuration

Following is a list of the most common Cisco device configuration commands that I am using when setting up a router or switch from scratch, such as hostname, username, logging, vty access, ntp, snmp, syslog. For a router I am also listing some basic layer 3 interface commands, while for a switch I am listing STP and VTP examples as well as the interface settings for access and trunk ports.

This is not a detailed best practice list which can be used completely without thinking about it, but a list with the most common configurations from which to pick out the once required for the current scenario. Kind of a template. Of course with IPv6 and legacy IP.

Continue reading Basic Cisco Configuration

CCNP SWITCH Lab show commands

Second post of this little series. While I was using my CCNP SWITCH lab for testing many different protocols, I “showed” and saved the output of those protocols as well. Refer to the lab overview of my last post in order to understand those outputs.

I basically saved them as a reference for myself in case I am interested in the information revealed by them. I won’t explain any details of the protocols nor the outputs here. Just many listings. Fly over them and reflect yourself whether you would understand anything. ;) Here we go:

Continue reading CCNP SWITCH Lab show commands