Aug 17, 2012

Juniper SSG5 利用 USB 昇級程序說明

在Juniper SSG5的背板有一個USB插槽,可以讓你在沒有網路連線能力下直接昇級,以下是詳細的過程說明:


1. 先在你的電腦上把取得的SSG firmware解壓縮,因為從網站上下載的通常是壓縮檔(.zip),你必須先解壓縮成原始firmware檔案,通常沒有副檔名。
EX: 我從網站上下載的檔案名稱是 "ssg5ssg20.6.3.0r10.0.zip",解壓縮之後的檔名是 "ssg5ssg20.6.3.0r10.0"
2. 然後直接把它複製到USB隨身碟中,再插到SSG5背板的USB插槽中。在SSG console畫面中會看到相關的提示如下:


ssg5-serial-> 
Unigen Corporation PQS1000B1, rev 2.00/11.00, addr 2, SCSI over Bulk-Only

Mount usb device. Please wait...
usb device (usb) ready.

ssg5-serial-> 


3. 檢查一下原有SSG的版本號碼:


ssg5-serial-> get system
Product Name: SSG5-Serial
Serial Number: 0162072011007638, Control Number: 00000000
Hardware Version: 0710(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Flash Type: Samsung
Software Version: 6.3.0r9.0, Type: Firewall+VPN
Feature: AV-K
BOOT Loader Version: 1.3.2
Compiled by build_master at: Fri Sep 9 04:22:38 PDT 2011
Base Mac: 88e0.f302.5ec0
File Name: screenos_image, Checksum: cd7dfcdf
, Total Memory: 256MB

Date 01/15/2002 03:02:54, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 86 hours 5 minutes 41 seconds Since 11Jan2002:12:57:13
Total Device Resets: 1, Last Device Reset at: 10/01/2001 04:04:34

System in NAT/route mode.
ssg5-serial-> get syste
Product Name: SSG5-Serial
Serial Number: 0162072011007638, Control Number: 00000000
Hardware Version: 0710(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Flash Type: Samsung
Software Version: 6.3.0r9.0, Type: Firewall+VPN
Feature: AV-K
BOOT Loader Version: 1.3.2
Compiled by build_master at: Fri Sep 9 04:22:38 PDT 2011
Base Mac: 88e0.f302.5ec0
File Name: screenos_image, Checksum: cd7dfcdf
, Total Memory: 256MB

Date 01/15/2002 03:02:54, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 86 hours 5 minutes 41 seconds Since 11Jan2002:12:57:13
Total Device Resets: 1, Last Device Reset at: 10/01/2001 04:04:34

System in NAT/route mode.


4. 檢查一下SSG上的Flash及USB的檔案清單:


ssg5-serial-> get file 
    flash:/crashdump.dmp                32768
    flash:/burnin_log3                  20480
    flash:/burnin_log2                  20480
    flash:/burnin_log1                  20480
    flash:/burnin_log0                  20480
    flash:/pkidatabase.digest              20
    flash:/prngseed.bin                    32
    flash:/envar.rec                       94
    flash:/ns_sys_config                 1541
    flash:/ns_sys_cfg.sig                  20
    flash:/dhcpservl.txt                   68
    flash:/$lkg$.cfg                     1441

USB flash device :
    usb:/ssg5ssg20.6.3.0r10.0        13327280

5. 開始進行昇級動作:

ssg5-serial-> save software from usb ssg5ssg20.6.3.0r10.0 to flash
It will replace current image file with usb image ssg5ssg20.6.3.0r10.0.
Do you want to continue... y/[n] y
Load image from usb to flash: ssg5ssg20.6.3.0r10.0.

Read .........................................
Save to flash. It may take a few minutes ...
platform = 25, cpu = 12, version = 18
 update new flash image (029b29e0,13327280)
platform = 25, cpu = 12, version = 18
offset = 20, address = 5800000, size = 13327201
date = 1d84, sw_version = 31808000, cksum = 2deb1e58
Image authenticated!
Program flash (13327280 bytes) ...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++done



6. 昇級完成之後,將USB安全移除:

ssg5-serial-> exec usb-device stop
The "USB Mass Storage Device"can now be safely removed from system

7. 將SSG5重置:

ssg5-serial-> reset
Configuration modified, save? [y]/n 
Save System Configuration  ... 
Done
System reset, are you sure? y/[n] n
ssg5-serial-> 
ssg5-serial-> 
ssg5-serial-> 
ssg5-serial-> 
ssg5-serial-> 
ssg5-serial-> reset
System reset, are you sure? y/[n] y
In reset ...


Juniper Networks SSG5 Boot Loader Version 1.3.2 (Checksum: A1EAB858)
Copyright (c) 1997-2006 Juniper Networks, Inc.

Total physical memory: 256MB
    Test - Pass
    Initialization - Done

Hit any key to run loader
Hit any key to run loader
Hit any key to run loader
Hit any key to run loader

Loading default system image from on-board flash disk...
Done! (size = 13,336,576 bytes)

Image authenticated!

Start loading...
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................
Done.



Juniper Networks, Inc
SSG5/SSG20 System Software
Copyright, 1997-2008

Version 6.3.0r10.0
Cksum:4d5343a4
Load Manufacture Information ... Done

Initialize FBTL 0........ Done
Load NVRAM Information ... (6.3.0)Done
Install module init vectors
IPv6 is enabled
Changed to l3 mode
Initializing IPv6
Install modules (01264800,01fb4000) ... 
PPP IP-POOL initiated, 256 pools

Initializing DI 1.1.0-ns

System config (1555 bytes) loaded

Done.
Load System Configuration .............................................................................modem is not detected
....................................Disabled licensekey auto update
....................Done
system init done..


8. 重新登入SSG,檢查版本號碼是否正確,到此即已大功告成!

login: netscreen
password: 
ssg5-serial-> get system 
Product Name: SSG5-Serial
Serial Number: 0162072011007638, Control Number: 00000000
Hardware Version: 0710(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Flash Type: Samsung
Software Version: 6.3.0r10.0, Type: Firewall+VPN
Feature: AV-K
BOOT Loader Version: 1.3.2
Compiled by build_master at: Sun Dec 4 19:38:35 PST 2011
Base Mac: 88e0.f302.5ec0
File Name: ssg5ssg20.6.3.0r10.0, Checksum: 4d5343a4
, Total Memory: 256MB

Date 01/15/2002 03:34:45, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 0 hours 1 minutes 43 seconds Since 15Jan2002:03:33:02
Total Device Resets: 1, Last Device Reset at: 10/01/2001 04:04:34

System in NAT/route mode.

Aug 16, 2012

Juniper Branch SRX Autoinstall USB製作方法

有時候想偷懶,懶得用FTP把JUNOS上傳到Branch SRX(SRX100/SRX200...)上;或是在機房裏真的忘了某一台設備的IP,懶得再走回座位去查,如果可以像以前M/T-Series直接用USB昇級JUNOS的話就可以省去許多的麻煩。

我以前曾經在JUNOS 10.2上嘗試過許多次都不成功,後來看到Juniper Learning Portal的教學才知道原來跟SRX本身的版本也有關係,至少要10.4以上才能支援USB自動昇級的功能。

步驟如下:

1. 先拿個USB隨身碟格式化成FAT/FAT32格式
2. 將要昇級的JUNOS版本(我是用複製到USB隨身碟中根目錄下
3. 執行這個指令
C:\> echo "">[USB隨身碟的磁碟代號]:\autoinstall.conf
EX: 我的USB隨身碟是F Drive,所以我的指令是
C:\> echo "">F:\autoinstall.conf
4. 把USB隨身碟插到SRX的USB slot中,接著稍待片刻讓SRX偵測到USB
以下是我現有的版本 
[edit]
root# run show version
Model: srx100h
JUNOS Software Release [10.4R6.5]


當你插入USB時,Console會出現類似以下的提示 
[edit]
root# umass1: Unigen Corporation PQS1000B1, rev 2.00/11.00, addr 4
da1 at umass-sim1 bus 1 target 0 lun 0
da1: Removable Direct Access SCSI-0 device
da1: 40.000MB/s transfers
da1: 980MB (2007040 512 byte sectors: 64H 32S/T 980C)
FSTYPE = 11...(omit)
 


5. 直接按下SRX的RESET CONFIG按鈕(注意不要按錯POWER按鈕)

6. 接下來所有的燈號都會變橙色燈號,然後就開始自動進行昇級動作;昇級完成會自動重新開機,開機完成後重新登入就看到新版本的JUNOS了!


Installing package '/altroot/cf/packages/install-tmp/junos-12.1R1.9-domestic' ... 
Verified junos-boot-srxsme-12.1R1.9.tgz signed by PackageProduction_12_1_0
Verified junos-srxsme-12.1R1.9-domestic signed by PackageProduction_12_1_0
JUNOS 12.1R1.9 will become active at next reboot
WARNING: A reboot is required to load this software correctly
WARNING:     Use the 'request system reboot' command
WARNING:         when software installation is complete
Saving state for rollback ... 

Terminated
AWaiting (max 60 seconds) for system process `vnlru' to stop...done
Waiting (max 60 seconds) for system process `vnlru_mem' to stop...done
Waiting (max 60 seconds) for system process `bufdaemon' to stop...done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining...0 0 0 done

syncing disks... All buffers synced.
Uptime: 19m29s
Rebooting...
cpu_reset: Stopping other CPUs


U-Boot 1.1.6-JNPR-2.0 (Build time: Nov 17 2010 - 07:04:52)

SRX_100_HIGHMEM board revision major:0, minor:0, serial #: AT4411AF1158
OCTEON CN5020-SCP pass 1.1, Core clock: 500 MHz, DDR clock: 266 MHz (532 Mhz data rate)
DRAM:  1024 MB
Starting Memory POST... 
Checking datalines... OK
Checking address lines... OK
Checking 512K memory for U-Boot... OK.
Running U-Boot CRC Test... OK.
Flash:  4 MB
USB:   scanning bus for devices... 4 USB Device(s) found
       scanning bus for storage devices... 2 Storage Device(s) found
Clearing DRAM........ done
BIST check passed.
Boot Media: nand-flash usb 
Net:   pic init done (err = 0)octeth0
POST Passed
Press SPACE to abort autoboot in 1 seconds
ELF file is 32 bit
Loading .text @ 0x8f000078 (244960 bytes)
Loading .rodata @ 0x8f03bd58 (13940 bytes)
Loading .rodata.str1.4 @ 0x8f03f3cc (16648 bytes)
Loading set_Xcommand_set @ 0x8f0434d4 (100 bytes)
Loading .rodata.cst4 @ 0x8f043538 (20 bytes)
Loading .data @ 0x8f044000 (5608 bytes)
Loading .data.rel.ro @ 0x8f0455e8 (120 bytes)
Loading .data.rel @ 0x8f045660 (136 bytes)
Clearing .bss @ 0x8f0456e8 (11656 bytes)
## Starting application at 0x8f000078 ...
Consoles: U-Boot console  
Found compatible API, ver. 2.0

FreeBSD/MIPS U-Boot bootstrap loader, Revision 2.0
(builder@warth.juniper.net, Wed Nov 17 07:07:32 UTC 2010)
Memory: 1024MB
[0]Booting from nand-flash slice 2
Un-Protected 1 sectors
writing to flash...
Protected 1 sectors
Loading /boot/defaults/loader.conf 
/kernel data=0xae0e24+0x133964 syms=[0x4+0x89cb0+0x4+0xc7a56]


Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [/kernel]...               
Kernel entry at 0x801000d8 ...
init regular console
Primary ICache: Sets 64 Size 128 Asso 4
Primary DCache: Sets 1 Size 128 Asso 64
Secondary DCache: Sets 128 Size 128 Asso 8
GDB: debug ports: uart
GDB: current port: uart
KDB: debugger backends: ddb gdb
KDB: current backend: ddb
Copyright (c) 1996-2012, Juniper Networks, Inc.
All rights reserved.
Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
JUNOS 12.1R1.9 #0: 2012-03-24 12:12:49 UTC
    builder@greteth:/volume/build/junos/12.1/release/12.1R1.9/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel
JUNOS 12.1R1.9 #0: 2012-03-24 12:12:49 UTC
    builder@greteth:/volume/build/junos/12.1/release/12.1R1.9/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel
real memory  = 1073741824 (1024MB)
avail memory = 526438400 (502MB)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
Security policy loaded: JUNOS MAC/pcap (mac_pcap)
netisr_init: !debug_mpsafenet, forcing maxthreads from 2 to 1
cpu0 on motherboard
: CAVIUM's OCTEON 5020 CPU Rev. 0.1 with no FPU implemented
        L1 Cache: I size 32kb(128 line), D size 8kb(128 line), sixty four way.
        L2 Cache: Size 128kb, 8 way
obio0 on motherboard
uart0: on obio0
uart0: console (9600,n,8,1)
twsi0 on obio0
dwc0: on obio0
usb0: on dwc0
usb0: USB revision 2.0
uhub0: vendor 0x0000 DWC OTG root hub, class 9/0, rev 2.00/1.00, addr 1
uhub0: 1 port with 1 removable, self powered
uhub1: vendor 0x0409 product 0x005a, class 9/0, rev 2.00/1.00, addr 2
uhub1: single transaction translator
uhub1: 2 ports with 1 removable, self powered
umass0: STMicroelectronics ST72682  High Speed Mode, rev 2.00/2.10, addr 3
umass1: Unigen Corporation PQS1000B1, rev 2.00/11.00, addr 4
pcib0: on obio0
Disabling Octeon big bar support
PCI Status: PCI 32-bit: 0xc041b
pcib0: Initialized controller
pci0: on pcib0
pci0: at device 2.0 (no driver attached)
pci0: at device 2.1 (no driver attached)
pci0: at device 2.2 (no driver attached)
cpld0 on obio0
gblmem0 on obio0
octpkt0: on obio0
cfi0: on obio0
Timecounter "mips" frequency 500000000 Hz quality 0
###PCB Group initialized for udppcbgroup
###PCB Group initialized for tcppcbgroup
da0 at umass-sim0 bus 0 target 0 lun 0
da0: Removable Direct Access SCSI-2 device 
da0: 40.000MB/s transfers
da0: 1000MB (2048000 512 byte sectors: 64H 32S/T 1000C)
da1 at umass-sim1 bus 1 target 0 lun 0
da1: Removable Direct Access SCSI-0 device 
da1: 40.000MB/s transfers
da1: 980MB (2007040 512 byte sectors: 64H 32S/T 980C)
Trying to mount root from ufs:/dev/da0s2a
Attaching /cf/packages/junos via /dev/mdctl...
Mounted junos package on /dev/md0...

Media check on da0
Automatic reboot in progress...
** /dev/da0s2a
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 70188 free (28 frags, 8770 blocks, 0.0% fragmentation)
Verified junos signed by PackageProduction_12_1_0
Verified jboot signed by PackageProduction_12_1_0
Verified junos-12.1R1.9-domestic signed by PackageProduction_12_1_0
** /dev/bo0s3e
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 12426 free (26 frags, 1550 blocks, 0.2% fragmentation)
** /dev/bo0s3f
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 161600 free (112 frags, 20186 blocks, 0.1% fragmentation)
Loading configuration ...
mgd: commit complete
Setting initial options: .
Starting optional daemons:  usbd.
Doing initial network setup:
.
Initial interface configuration:
additional daemons: eventd.
Additional routing options:kern.module_path: /boot//kernel;/boot/modules -> /boot/modules;/modules/ifpfe_drv;kldload: Unsupported file type
/modules;
kld netpfe drv: ifpfed_dialer.
Doing additional network setup:.
Starting final network daemons:.
setting ldconfig path: /usr/lib /opt/lib
starting standard daemons: cron.
Initial rc.mips initialization:.
Local package initialization:.
starting local daemons:.
kern.securelevel: -1 -> 1
Creating JAIL MFS partition...
JAIL MFS partition created
boot.upgrade.uboot="0xBFC00000"
boot.upgrade.loader="0xBFE00000"
Boot media /dev/da0 has dual root support
** /dev/da0s1a
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 40329 free (49 frags, 5035 blocks, 0.0% fragmentation)
Thu Aug 16 16:13:17 UTC 2012

Amnesiac (ttyu0)

login:     
Amnesiac (ttyu0)

login: root
Password:

--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC


7. 大功告成!

 
 

Aug 14, 2012

BGP export(redistribution) policy without "match protocol" in JUNOS

今天在review公司core router時,發現有些BGP export policy有設match protocol,有些沒設,心中突然浮現一個問號?

「沒有設定match protocol可以進行static or connect redistribute to BGP的動作嗎?」

然後開始請教資深的同事們討論,結果大家有不同的認知,有的人認為只要export policy就可以將inet.0中的best route直接宣告給BGP neighbor,有的人認為應該要轉成BGP active route才能宣告給BGP neighbor…


其實這種情況常常發生在JUNOS設定中,因為網路的sample config都是很經典的大同小異,沒有太多的例外狀況可以參考,所以最後二話不說,直接實機演練來確認比較快,這也是我很頭痛的地方,只要沒有測試過Lab的JUNOS指令,我真的不能確定結果為何?(尤其是在不同platform及不同hardware combination的情況下)
  • 先把SRX設定成Packet Mode(很特別的指令 如果我沒上過JSEC的課程,打死也不知道設定packet mode會在這樣的階層下…family mpls你的存在跟packet mode到底有什麼關聯??? 真的很難理解啊!):
security {
    forwarding-options {
        family {
            mpls {
                mode packet-based;
            }
        }
    }
}
  • 再來設定兩個準備被轉成BGP的static & connected route (恕小弟偷懶,其他基本的interface設定就不在此列出)
interfaces {
    lo0 {
        unit 0 {
            family inet {
                address 100.100.100.100/32;
            }
        }
    }
}                                       
routing-options {
    static {
        route 200.200.200.0/24 discard;
    }
}
  • 然後開始設定prefix-list & policy-statement,我不設定match protocol直接利用prefix-list-filter來過濾路由,內容就是前面的loopback interface & static route
policy-options {
    prefix-list LO {
        100.100.100.100/32;
        200.200.200.0/24;
    }
    policy-statement LO_OUT {           
        from {
            prefix-list-filter LO exact;
        }
        then accept;
    }
}

  • 接著我先設定完另一邊的Router BGP(AS200)之後,開始設定本機的BGP相關設定:
routing-options {
    autonomous-system 100;
}
protocols {
    bgp {
        group EBGP {
            type external;
            neighbor 10.1.1.2 {
                export LO_OUT;
                peer-as 200;
            }
        }
    }
}

好了,大功告成後,確定BGP UP再來檢查宣告出去的BGP routes是否有包含static & connected routes:

root@SRX1# run show route advertising-protocol bgp 10.1.1.2 

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 100.100.100.100/32      Self                                    I
* 200.200.200.0/24        Self                                    I

答案揭曉! 真的是不需要特定的match protocol就可以將非BGP routes宣告給BGP neighbor,也就是說如果你想把所有的routes利用BGP轉發只要設定一個空的export policy(then accept)就能達到目的?...對不起,我還沒試過,所以我不敢百分之百肯定,下次有空再試給各位看看~