Juniper MX Port Numbering

Unfortunately the juniper port numbering scheme can cause a lot of confusion for people not familiar with the layout. This can get quite confusing when explaining to remote hands on site.

I made a quick reference which I use for some of our MX480s but the principle is the same on other hardware. This is handy for sending to third parties with a port highlighted to ensure they don’t go pulling the wrong cables. :)

juniper-ports

F5 LTM Single VS to multiple pools port mapping

Scenario: 1 to 1 mapping of ports on an IP for SSL termination to a corresponding inside port on a local server.

Rather than creating a VS on the same IP for each individual port I decided to create the pools containing the same node but with individual ports and manage the VS part with an iRule.

Eg:

pool0 – 192.168.1.100:45000
pool1 – 192.168.1.100:45001
pool2 – 192.168.1.100:45002

An iRule was then created on a VS listening on all ports to redirect as required.

Source: 0.0.0.0/0
SSL Profile (Client): [ your SSL profile ]
VLAN and Tunnel Traffic: Enabled on… [ appropriate interface ]
Source Address Translation: Auto Map
Address Translation: [ Should be ticked ]
Port Transation: Tick
Resources: [ Pick the iRule ]

iRule:

when CLIENT_ACCEPTED {
    switch [TCP::local_port] {
        "5000" { pool pool0 }
        "5001" { pool pool1 } 
        "5002" { pool pool2 } 
        default { reject }
        }
}

Seems to work OK!

NB: I found a gotcha here as I was replacing an existing VS with a specific port. If you have a VS for a specific port and shut it down, then create a VS on the same IP listening on all ports, incoming connections to the port on the shutdown VS will be denied! You can get around this by changing the original VS to an unused port to allow for reverting or just delete it.

Port redirection in iptables

Running applications as a non-privileged user typically means that you can’t listen on port 1023 or below. You can work around this with iptables, however, by forwarding the privileged port to another higher port. This works well for http.

If using an iptables firewall rules text file, add the following section (the config below redirects TCP port 80 to 8000):

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

#Redirect 80 to 8000
-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8000

COMMIT

I keep my rules in a separate file (old habit) so do iptables-restore < /etc/iptables-firewall-rules (s) then do service iptables save From the command line, you'd do:

iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 8000

Obviously you need a rule to allow connectivity to the redirected port.

Resolve MAC addresses to Port, IP and DNS Name

Resolving MAC address to port, IP and DNS or name service name (or more simply for some, resolve mac to name) is a challenge that every network engineer has come across at some point in their career. It’s easily solved with a bit of thought and logic. Unfortunately the past few products I’ve dealt in the past with for this purpose have either been abandoned or aren’t as multi-vendor as I’d like, so it seems that the only solution is to write your own… bash and expect is sufficient.

If you’re thinking about doing this (and it’s a great learning exercise), you need to get around the following:

– Determining which interfaces are trunks on the switches so you can strip those MAC entries out (CDP works quite well)
– Converting ARP and MAC info into a “clean” format (eg: CatOS and IOS output is a different format)
– Detecting the fields across various pieces of hardware as display output isn’t always consistent for the same commands
– Inconsistent logins/passwords
– Correlating the IP/MAC/Interface information together. This can be done with the UNIX join command and some awk/sed
– What you do with MACs that don’t resolve to an IP address (I include a flag to print these if required)
– Whether the machine you run DNS queries on will be able to resolve the IPs to PTR records
– If using expect, stripping out stray characters (eg \r) that will mess up your greps and other string searches
– Add plenty of debugging so you can quickly tell why something isn’t working properly

I used expect to go and grab the ARP, CDP and MAC information seeing as you can’t get all the required information from SNMP on many devices these days. In my case, this results in the following type of output:

Switch       Interface       VLAN  MAC             IP               DNSName
nycsw12      Fa3/10          100   0060.b0aa.0000  192.168.10.30    NO_DNS
nycsw12      Fa2/16          99    1060.4b61.0001  192.168.9.72     nyc-pc573.company.corp.
nycsw12      Fa2/37          101   1060.4b64.0002  192.168.11.78    nyc-pc555.company.corp.
nycsw12      Fa2/42          101   1060.4b68.0003  192.168.11.115   nyc-pc572.company.corp.
nycsw12      Fa2/45          98    1060.4b6a.0004  192.168.8.99     nyc-pc588.company.corp.
nycsw12      Fa2/32          98    1060.4b6a.0005  192.168.8.121    nyc-pc601.company.corp.
nycsw12      Fa3/3           100   2c41.389e.d19f  192.168.10.99    nyc-pc480.company.corp.
nycsw13      Fa2/4           100   5c26.0a01.0ac4  192.168.10.67    nyc-pc246.company.corp.
nycsw13      Fa2/6           100   6c3b.e531.2ddf  192.168.10.85    nyc-pc745.company.corp.

Of course, you can always just use Excel to do a VLOOKUP of your mac-address table output against a sorted table containing all your arp entries, but that’s a bit less automatic.