Juniper Apstra 4.2.

1
EVE-NG Virtual Lab Demo
Video series companion guide

VIDEO 10: DAY-1 INTERNET CONNECTIVITY

Colin Doyle, Sr. CE AMER

See the complete video walkthrough on YouTube
at: https://www.youtube.com/@5minutejunos
Ask questions at the Juniper Elevate Community
using the hashtag #5minutejunos

Adapted from v4.0.0 documentation originally

compiled by:
© 2024 Juniper Networks - Raymond Lam, SSE APAC
 Agenda
Prepping your Lab

Day-0 Fabric Onboarding Day-1 Service Provisioning

• Virtual Device Profile Verification • Create Routing Zones
• Virtual Device Profile Cloning • Create Virtual Networks
• Onboarding Virtual Nodes • Assign Virtual Network to Switchports
• Create ASN Pool and IP Pools • Add Server Links
• Create Logical Devices and Interface Maps • Data Center Interconnect
• Create Rack Types • DCI Addendum: Direct Peering
• Create Templates • Core/WAN Connectivity
• Create Blueprints • Internet Connectivity

Day-2 Operational Scenarios Future Documentation

• Incorrect Cable Patch (RCA, LLDP Link • Firewall Service Chaining
Discovery, Time Voyager) • Cluster with Service Block
• Config Deviation Checking • Type-5 Route (fabric integrated)
• Apply custom config through Configlet with MNHA
• View Telemetry Data • VLAN Stitching
• Hardware Replacement • vEvo Fabric

© 2024 Juniper Networks 2

 Day-1 Service
Provisioning
• Create Routing Zones
• Create Virtual Networks
• Assign Virtual Network to Switchports
• Add Testing Hosts
• Data Center Interconnect (OTT)
• DCI Addendum – Direct Peering
• Core Connectivity
• Internet Connectivity

© 2024 Juniper Networks

 Connecting My Lab to the Internet - Overview
At this point, we have built our “Core” connectivity by peering our external routers
directly with Tenant-1 VRF on the fabric border routers in each DC and
advertising a default route into that VRF.
Depending your requirements, you may opt to add additional non-fabric network
nodes, hosts, and/or other virtual devices to your lab to develop and test fabric<-
>core connectivity.
My lab is connected to an isolated lab network at my house that allows me to
connect physical hardware, other running virtual labs, and provide Internet
connectivity.
This section will detail my setup. As always, take from it what you need to meet
your own requirements, or skip this section all together if you have what you need
already.

© 2024 Juniper Networks 4

Connecting My Lab to the Internet - Overview
Bits and Pieces:
• To simplify routing, the WAN_Sim node is a vSRX and will be configured with sNAT
• The WAN_Sim ge-0/0/2 interface will be assigned a static IP via DHCP by my WAN firewall
gateway
• I’ll configure a default route on the WAN_Sim node to my WAN firewall gateway
• There’s an upside and a downside to doing sNAT this way:
• Upside – The WAN_Sim node is being assigned an IP address from an address pool that is
already configured for routing and connectivity to the public Internet. sNAT allows me to
enable routing for hosts in the lab without any additional configuration on my Internet
firewall.
• Downside – This only allows Internet connectivity from the lab – I cannot connect to
anything inside the lab from outside the lab. That’s because we’re doing double-NAT, so
my other networks don’t see the networks in the virtual lab, only the ge-0/0/2 interface on
the WAN_Sim node.
To test from hosts outside your virtual lab, more configuration is required. Ditch NAT on the
WAN_Sim, run an IGP between your non-fabric virtual and physical routers, configure your
Internet firewall NAT and security policies for the lab networks, etc… Or use statics –
whatever suits you.
• To simplify security bits, all interfaces will be added to the default “trust” security-zone
• For fun, P2P OSPF will be used to connect ext-rtr1/ext-rtr2 to the WAN_Sim node
© 2024 Juniper Networks 5
Configure WAN_Sim Connectivity to Internet Gateway
• Configure:
• set system root-authentication plain-text-
password
(Juniper)
• set system host-name WAN_Sim
• delete system services
• wildcard range set security zones security-zone
trust interfaces ge-0/0/[0-2].0
• set security zones security-zone trust host-
inbound-traffic protocols all
• set security zones security-zone trust host-
inbound-traffic system-services any-service
• set interfaces ge-0/0/0.0 family inet address
10.100.200.1/31
• set interfaces ge-0/0/1.0 family inet address
10.100.201.1/31
• set interfaces ge-0/0/2.0 family inet dhcp
• commit and-quit
• Verify address on ge-0/0/2 if using DHCP
• show interfaces terse ge-0/0/2 Note: vSRX can be moody about DHCP at times. If you aren’t
getting a lease, reboot the node. If it continues to be a
problem, just set a static and don’t forget to add a static
© 2024 Juniper Networks default route as well.
6
Configure WAN_Sim sNAT
• Configure:
• set security address-book global address
vn101 192.168.101.0/24
• set security address-book global address
vn102 192.168.102.0/24
• set security address-book global address
vn103 192.168.103.0/24
• wildcard range set security address-book
global address-set Virtual-Networks address
vn10[1-3]
• set security nat source rule-set SNAT from
interface [ ge-0/0/0.0 ge-0/0/1.0 ]
• set security nat source rule-set SNAT to
interface ge-0/0/2.0
• set security nat source rule-set SNAT rule r1
match source-address-name Virtual-Networks
• set security nat source rule-set SNAT rule r1
match destination-address 0/0
• set security nat source rule-set SNAT rule r1
then source-nat interface
• commit and-quit
• Verify config (no translations at this point)
© 2024 •Juniper
show security nat source rule r1
Networks 7
Configure ext-rtr1 and ext-rtr2 Connectivity to
WAN_Sim
• Configure ext-rtr1:
• set interfaces ge-0/0/3.0 family inet address
10.100.200.0/31
• commit and-quit
• Configure ext-rtr2:
• set interfaces ge-0/0/3.0 family inet address
10.100.201.0/31
• commit and-quit
• Verify
• Ping between everything

© 2024 Juniper Networks 8

Configure P2P OSPF
• ext-rtr1 and ext-rtr2 (config elements are
identical)
• delete routing-options static
• delete policy-options policy-statement
EXPORT_DEFAULT term default from
• set policy-options policy-statement
EXPORT_DEFAULT term default from protocol
ospf route-filter 0.0.0.0/0 exact
• set protocols ospf area 0 interface ge-0/0/3.0
interface-type p2p
• wildcard range set policy-options prefix-list
Virtual-Networks 192.168.10[1-3].0/24
• set policy-options policy-statement
EXPORT_OSPF term Virtual-Networks from
protocol bgp prefix-list Virtual-Networks
• set policy-options policy-statement
EXPORT_OSPF term Virtual-Networks then
accept
• set policy-options policy-statement
EXPORT_OSPF term default-action then reject
• set protocols ospf export EXPORT_OSPF
• commit and-quit
© 2024 Juniper Networks 9
Configure P2P OSPF
• WAN_Sim
Since I’m using
• If you are using DHCP for your WAN IP
DHCP for my WAN
and default gateway:
interface IP and to
• set policy-options policy-statement program my
OSPF_EXPORT term default from protocol default gateway,
access-internal route-filter 0.0.0.0/0 exact my export policy
• If you are using a static IP for your WAN references “access-
connection: internal” as the
• set routing-options static route 0/0 next- protocol.
hop <g/w address>
• set policy-options policy-statement
OSPF_EXPORT term default from protocol
static route-filter 0.0.0.0/0 exact
• set policy-options policy-statement
OSPF_EXPORT term default then accept
• set policy-options policy-statement
OSPF_EXPORT term default_action then accept
• wildcard range set protocols ospf area 0
interface ge-0/0/[0-1].0 interface-type p2p
• set protocols ospf area 0 interface ge-0/0/2.0
passive
• set protocols ospf export OSPF_EXPORT
© 2024 Juniper Networks 10
• commit and-quit
Verify Internet Connectivity
Default Route from WAN_Sim to Server Leafs
• WAN_Sim: show route 0/0 exact • ext-rtr’s: show route advertising protocol bgp <peering IP
> check next-hop and interface. source will vary depending on address of connected border leafs>
whether you are using DHCP (Access-Internal) or Static > verify you are only advertising the default route

• server leafs: show route table Tenant-1.inet.0 0/0 exact

• WAN_Sim: show route protocol OSPF
> verify you see the default route – they should be visible
> verify you are only seeing virtual-network subnets (you can
disregard the multicast group you see – that’s always there)

• ext-rtr’s: show route 0/0 exact

> verify next-hop is WAN_Sim and route is learned from OSPF

© 2024 Juniper Networks 11

Verify Internet Connectivity from Hosts
Log into your testing hosts and test using ping, a Test from A-BMS-1 @ 192.168.101.11 on vn101
browser, DNS lookup, etc…
• If you cannot reach the public Internet, troubleshoot
from the host first, then move back towards the
Internet Edge
• Hosts: verify IP addressing, next-hop gateway,
and DNS settings (if testing using a browser or
public host names) Test from B-BMS-2 @ 192.168.103.55 on vn103
• Server Leafs: ensure the default route is in
the Tenant-1 inet.0 table
• Border Leafs: ensure your default route
points to the directly-connected ext-rtr node
• ext-rtr’s: verify routes have valid next-hops
both towards the Internet (default) and
towards the hosts (virtual-networks)
• WAN_Sim: verify NAT is working and the
default next-hop is valid/reachable
I was going to show an open browser, but my uMate
• Use the eve-ng built-in packet capture to follow the image is old enough that the SSL ciphers are garbage and
data-path Firefox needs to be updated. The host is resolving
hostnames and pulling updates, so we’re good!
• Remember that you need routes from the fabric to
the Internet, and from the WAN_Sim back to the
host networks in the fabric.
© 2024 Juniper Networks 12