Recently I’ve started playing with hping and tcpping to allow for tcp/udp packet testing.

One neat little tool called GNUPlot allows for you to take statistics and then plot them on a diagram. In this tutorial I’ll show you how easy it is.

Step 1: Gather the data and extract out to a .dat file

Via TCPPing

shell> tcpping -x 600 www.pingpros.com 80 | awk 'NF > 1 { print $(NF - 1); }' | grep -E "[0-9]" > pingprostcpdata.dat

Via hping3

shell> hping3 -S -p 80 -c 600 www.pingpros.com | awk 'NF > 1 { print $(NF - 1); }' | grep -E "[0-9]" | sed -e 's/rtt=//g' > pingproshpingdata.dat


Via ICMP

shell> ping -c 600 www.google.com | awk -F [=\ ] 'NF > 1 { print $(NF - 1); }' | grep -E "[0-9]" > pingprosicmpdata.dat

If you can cat the files you’ll notice the data is the same. It’s up to you which program you want to run on! They both work and provide the same data. My preference is tcpping but if you are an hping type of person go ahead and play around with the script as you like.

TCPPING Results:

23.505
25.563
22.789
23.976
26.712
21.986
23.228
22.705
22.944
22.816

HPING Results

23.4
25.1
23.1
26.1
22.2
26.6
26.0
23.1
26.9
23.8

With GNUPlot installed type in:

shell> gnuplot

In the GNUPlot terminal add:


set terminal pngcairo size 1024,768 enhanced font 'Verdana,10'
set output "vrrp-vs-nonvrrp.png"
set ylabel "Time in miliseconds"
set xlabel "Number of Pings"

set autoscale

set style line 1  lc rgb ‘#0025ad’ lt 1 lw 1.5
set style line 2  lc rgb ‘#09ad00’ lt 1 lw 1.5

plot “pingprostcpping.dat” title “some title” w lp, \
“pingproshping.dat” title “some other title” w lp

You can also awk you files to find the average:

awk ' FNR==1 {average1 += $1} END {print average1;}' pingprostcpdata.dat
0.334
awk -v N=1 '{ sum += $N } END { if (NR > 0) print sum / NR }' pingprostcpdata.dat
You can also make bar graphs to compare the data

set terminal pngcairo enhanced font 'Verdana,10'
set output "vrrp-vs-nonvrrp-bargraph.png"

set style fill solid

set autoscale

plot [0.5:][0:10] ‘pingproshping.dat’ with histogram, ‘sw1-core-vlan134.dat’ with histogram

The Setup:

• You have an MX80 with three ISP connections out to the internet.
• Ports ge-1/0/0, ge-1/0/1, ge-1/0/2, and ge-1/0/3 all need to have their traffic mirrored
  • Bandwidth for all ports combined is 300 Mbps…so it will not be a problem with utilization another Gig Port to dump all data to
• Port ge-1/0/4 is the port on the MX80 connecting directly to the Security Appliance
• You have a security appliance with a TAP port configured to sniff all data transiting the MX 80
  • NO IP Address is assigned
  • You can obtain the MAC address which in this case is: 00:1b:17:37:17:24

The Problem:

On Cisco NX-OS it’s very simple to accomplish:
monitor session 1 

The Solution:

Note: See Step #4 in terms of why we choose the next hop to be 1.1.12

Step #2: Setup a firewall to mirror the port traffic
set firewall family inet filter port-mirror term 1 then port-mirror
set firewall family inet filter port-mirror term 1 then accept
set firewall family inet filter port-mirror term 2 then accept

Step #3: Map The Ports you want to mirror with the firewall filter

set interfaces ge-1/0/1 unit 0 family inet filter input port-mirror
set interfaces ge-1/0/1 unit 0 family inet filter output port-mirror
set interfaces ge-1/0/2 unit 0 family inet filter input port-mirror
set interfaces ge-1/0/2 unit 0 family inet filter output port-mirror
set interfaces ge-1/0/3 unit 0 family inet filter input port-mirror
set interfaces ge-1/0/3 unit 0 family inet filter output port-mirror

• Multiple Ports, Port-Mirror on Juniper MX80 going to a directly connected TAP port

Having utilized routing-instances in the MX series to segregate management functions/protocols away from insecure internet sources I ran into an instance that’s quite unique to the SRX platform only.

Normally for management items on an MX series one would create a separate routing instance away from the routing instance (see image below). This allows for segregation and reduces potential security holes in your design.

Design Main Points:
Create a MGMT routing-instance and import/export ribs between the the main and mgmt inet.0 routing tables, NAT and re-route certain management protocols/functions (NTP, netconf, syslog, snmp, etc…) from the main routing table (inet.0) to mgmt.inet.0.

Note: This assumes that your company is very strict on opening ports and doing NAT device cross talk between your outside region. Valid in corporations with standards…not so much within smaller companies that don’t care for security of course.

Underlying Problem:
While most items can be re-routed and transferred over, one particular item is not doable on the SRX systems themselves.

If you want to use an internal ntp client to maintain and manage time for all of your server equipment SRX series routers simply cannot route ntp over any instance but the main one (IE. inet.0).

So why doesn’t it work on the SRX Series?
It’s the way the SRX bootup procedures are setup. It will always use the main routing table (inet.0).

KB Article:
http://kb.juniper.net/InfoCenter/index?page=content&id;=KB22499&actp;=RSS

The little things and difference are usually annoying so hopefully somebody will find this article in case they have similar designs and requirements.

• Juniper SRX management routing-instance limitations

• Juniper EX Series
• Juniper MX Series
  • Multiple Ports, Port-Mirror on Juniper MX80 going to a directly connected TAP port
• Juniper SRX Series
  • Juniper SRX management routing-instance limitations

If you plan on migrating routing protocols or have multiple routing protocols it’s important to note the administrative distance values so you are aware of which route preferences will be based on the protocol.

You can change the preferences of protocols by changing the values to a lower value.

Remember: The lower the number, the higher the routing preference (IE: OSPF with a value of 110 will be preferred over RIP with a value of 120).

The table below compares Cisco and Juniper Distance values below to show vendor similarities: