The 1U Olive

[seraphus]

NOTE: Of course, you can build a VMWare Olive, but I don’t want to use my current machine for that. If that suits your needs, check it out: Building a Juniper 'Olive' running latest JUNOS in VMWare.

Getting back into Juniper has been great so far, most especially because of the Fast Track materials. That stated, I still need to get a little more hands-on with JUNOS. I recently built one Olive already, with a plan to add a couple more eventually. My first Olive is contained in a 4U server rackmount case. That’s a space eater. A good friend of mine with a firewall background (who also is using Fast Track) thought it might be possible to use a 1U Nokia IP330. His company had several they were about to toss, so what the hey right?

Here are the specs:

1U-sized PC appliance
1x AMD K6-2 CPU @400 MHz (i586)
256 MB PC-100 SDRAM
1x 20GB IDE hard drive
3x Intel 82558 Pro/100 Ethernet (fxp(4))
2x RS-232 serial interfaces (DB-9 male) with BIOS-level serial console

You can find similar ones here:
nokia IP330, great deals on Computers Networking on eBay!

1. I had to connect the Hard Drive from the IP330 to my first Olive (in place of the current working HD). The IDE port on the IP330 motherboard has an extra pin which prevented me from connecting a standard IDE cable with master and slave connectors for dual use of the HD and CD ROM.

2. I installed FreeBSD mini 4.4 per Sid Smokes.
Juniper Olive Install: Juniper Olive has more granular instructions for basic *nix folks like myself. These sites also contain the instructions for loading JUNOS. Note: For my initial installation I used jinstall-7.4R1.7-export-signed.tgz and I upgraded to jinstall-8.3R2.8-export-signed. I don’t have enough RAM to upgrade to jinstall-9.x …yet.


3. When the install of FreeBSD completed (and rebooted), I logged in as root to complete the file system changes. I then mounted the cdrom and copied the jninstall to the /var/temp (as per the above instructions).

4. I then ran the pkg_add command. Once that completes a "reboot" will need to be issued. (This is normal so far). After I issued the "reboot" the machine began to reboot (of course). When it powered down, and before it powered up, I manually turned off the power to that machine.

5. I removed the drive, and re-installed it in the IP330. I connected the power cable, then a null-modem cable to the console port and booted the IP330 up. Null modem cables can be found here: RS-232 Null Modem, great deals on Computers Networking, Electronics on eBay!

6. It took about 15 minutes, more or less, for the IP330 to boot all the way up to the login prompt. I did see the following error (you may see several, but I was concerned only about this one):

fxp: Could not derive MAC address from EEPROM
fxp0: Ethernet address 02:00:02:00:00:04
fxp: Could not derive MAC address from EEPROM
fxp1: Ethernet address 02:00:03:00:00:04
fxp: Could not derive MAC address from EEPROM
fxp2: Ethernet address 02:00:04:00:00:04

While probably not an issue for only one IP330 Olive, all of my IP330 Olives assigned a dummy MAC address (of 02:00:0X:00:00:04) to the respective fxp ports on each Olive. You can manually change the MAC address to avoid duplicates:

jnpr@OLIVE1# set interfaces fxp0 mac ?
Possible completions:
<mac> Hardware MAC address
[edit].

I was able to easily assign an IP, configure telnet/hostname/1 superuser, and telnet
from my machine.

Here's what fxp0 looks like:

jnpr@OLIVE2# run show interfaces fxp0
Physical interface: fxp0, Enabled, Physical link is Up
Interface index: 1, SNMP ifIndex: 1
Type: Ethernet, Link-level type: Ethernet, MTU: 1514, Speed: 100mbps
Device flags : Present Running
Interface flags: SNMP-Traps
Link type : Full-Duplex
Link flags : 4
Current address: 02:00:02:00:00:04, Hardware address: 02:00:02:00:00:04
Last flapped : Never
Input packets : 10
Output packets: 1

Logical interface fxp0.0 (Index 65) (SNMP ifIndex 13)
Flags: SNMP-Traps Encapsulation: ENET2
Protocol inet, MTU: 1500
Flags: Is-Primary
Addresses, Flags: Is-Default Is-Preferred Is-Primary
Destination: 192.168.5/24, Local: 192.168.5.96,
Broadcast: 192.168.5.255

And show version:

jnpr@OLIVE2> show version
Hostname: OLIVE2
Model: olive
JUNOS Base OS boot [8.3R2.8]
JUNOS Base OS Software Suite [8.3R2.8]
JUNOS Kernel Software Suite [8.3R2.8]
JUNOS Packet Forwarding Engine Support (M/T Common) [8.3R2.8]
JUNOS Packet Forwarding Engine Support (M20/M40) [8.3R2.8]
JUNOS Online Documentation [8.3R2.8]
JUNOS Routing Software Suite [8.3R2.8]

jnpr@OLIVE2>

[Aldur]

Excellent post!

I really wish I would have known about this back in the day when I was making my own olives. Looks like you can pick up some of these cheep firewalls on ebay for around 20$. I definitely spent way more then that when building an olive...

Quick question, can you pass traffic on the ports?

I know that getting the correct NIC's is a major concern with building an olive from a PC. I've had NIC's that came up but wouldn't pass traffic in the end.

[seraphus]

Excellent post!

I really wish I would have known about this back in the day when I was making my own olives. Looks like you can pick up some of these cheep firewalls on ebay for around 20$. I definitely spent way more then that when building an olive...

Quick question, can you pass traffic on the ports?

I know that getting the correct NIC's is a major concern with building an olive from a PC. I've had NIC's that came up but wouldn't pass traffic in the end.

Thanks, Aldur. You're absolutely right, getting the correct NICs is a major concern, other wise your Olive is on an island, so to speak. The built in NICs do pass traffic. The ethernet specifications (3x Intel 82558 Pro/100 Ethernet ports) actually match the recommendations put forth by JuniperClue:

Olive - JuniperClue

Network Cards
You must have the right network cards!
You must have the right network cards!

It's crucially important to have the right network cards. You can't just use any old one. You can use the Intel support website to identify their adapters.

Network cards that do work:

* Intel EtherExpress Pro/100 and Pro/100B (82558 / 82558B chipset)
* Intel EtherExpress Pro/100+ Management Adapter (82559 chipset)
* Intel Pro/1000MT Desktop Gigabit Adapter
* Intel Pro/1000MT Dual Port Server Adapter (FW82546EB chipset)
* Intel ICH3 Onboard Controller (82801CAM)
* Compaq NC3120 (82258 chipset)
* Compaq NC3121 (82558B chipset)
* Matrox QS-NIC Quad FE NIC (8255x chipset)

JunOS 4.x had support for DEC 21x40 network cards so you could install it under VMware.

So once up and running, I connected them to a Cisco 2950 I had laying around (per one of your recommendations, actually.... see attached).

I was quickly able to set up a basic OSPF scenario with OLIVE 1 & OLIVE 3 in Area 0.0.0.0, and OLIVE 3 and OLIVE 2 in area 0.0.0.1.

Some output:

jnpr@OLIVE2>

jnpr@OLIVE2> clear interfaces statistics fxp2

jnpr@OLIVE2> show interfaces fxp2
Physical interface: fxp2, Enabled, Physical link is Up
Interface index: 3, SNMP ifIndex: 3
Type: Ethernet, Link-level type: Ethernet, MTU: 1514, Speed: 100mbps
Device flags : Present Running
Interface flags: SNMP-Traps
Link type : Full-Duplex
Current address: 02:00:04:00:00:04, Hardware address: 02:00:04:00:00:04
Last flapped : 2009-08-31 16:57:11 UTC (00:08:39 ago)
Input packets : 1
Output packets: 0

Logical interface fxp2.0 (Index 65) (SNMP ifIndex 15)
Flags: SNMP-Traps Encapsulation: ENET2
Bandwidth: 0
Input packets : 1
Output packets: 0
Protocol inet, MTU: 1500
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.168.1/24, Local: 172.168.1.2, Broadcast: 172.168.1.255

jnpr@OLIVE2> show ospf neighbor extensive
Address Interface State ID Pri Dead
172.168.1.3 fxp2.0 Full 10.1.1.3 128 34
Area 0.0.0.1, opt 0x42, DR 172.168.1.2, BDR 172.168.1.3
Up 00:08:42, adjacent 00:08:09

jnpr@OLIVE2> ping 172.168.1.3 count 3
PING 172.168.1.3 (172.168.1.3): 56 data bytes
64 bytes from 172.168.1.3: icmp_seq=0 ttl=64 time=0.432 ms
64 bytes from 172.168.1.3: icmp_seq=1 ttl=64 time=0.346 ms
64 bytes from 172.168.1.3: icmp_seq=2 ttl=64 time=0.383 ms

--- 172.168.1.3 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.346/0.387/0.432/0.035 ms

jnpr@OLIVE2> traceroute 10.1.1.3
traceroute to 10.1.1.3 (10.1.1.3), 30 hops max, 40 byte packets
1 10.1.1.3 (10.1.1.3) 0.511 ms 0.329 ms 0.264 ms

jnpr@OLIVE2> traceroute 10.1.1.1
traceroute to 10.1.1.1 (10.1.1.1), 30 hops max, 40 byte packets
1 172.168.1.3 (172.168.1.3) 0.446 ms 0.339 ms 0.256 ms
2 10.1.1.1 (10.1.1.1) 0.382 ms 0.370 ms 0.339 ms

jnpr@OLIVE2> show interfaces fxp2
Physical interface: fxp2, Enabled, Physical link is Up
Interface index: 3, SNMP ifIndex: 3
Type: Ethernet, Link-level type: Ethernet, MTU: 1514, Speed: 100mbps
Device flags : Present Running
Interface flags: SNMP-Traps
Link type : Full-Duplex
Current address: 02:00:04:00:00:04, Hardware address: 02:00:04:00:00:04
Last flapped : 2009-08-31 16:57:11 UTC (00:09:13 ago)
Input packets : 17
Output packets: 16

Logical interface fxp2.0 (Index 65) (SNMP ifIndex 15)
Flags: SNMP-Traps Encapsulation: ENET2
Bandwidth: 0
Input packets : 17
Output packets: 16
Protocol inet, MTU: 1500
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.168.1/24, Local: 172.168.1.2, Broadcast: 172.168.1.255

jnpr@OLIVE2>

jnpr@OLIVE2>

[Aldur]

Good stuff! Man that's awesome to see that the NIC's are compatible and pass traffic easily.

With the low cost and small size of these Nokia boxes I think that this is a better way to go then even using virtualized olives.

Something that comes to mind is if we could load the J series software on these boxes. If so we'd have a extremely cheap way of making a J series box that would allow people to play with services and what not. If it worked it would be a good alternative to dropping 400-500$ per J2300

[seraphus]

Something that comes to mind is if we could load the J series software on these boxes. If so we'd have a extremely cheap way of making a J series box that would allow people to play with services and what not. If it worked it would be a good alternative to dropping 400-500$ per J2300

That would be fantastic!

Let me see what can be found out.

[tiersten]

Nice thread. Maybe I should pick up a IP330 just to play around with...

[Aldur]

Nice thread. Maybe I should pick up a IP330 just to play around with...

Not that I need one but I might just pick one up myself to play around with too.

[seraphus]

Something that comes to mind is if we could load the J series software on these boxes. If so we'd have a extremely cheap way of making a J series box that would allow people to play with services and what not. If it worked it would be a good alternative to dropping 400-500$ per J2300

I tried a few different ways, but I couldn't bypass the hardware detection. Worth a shot though. Guess I'll be coughing up pesos for J2300s.

Saw instructions for a VMware J-series Olive here:
Creating a J-series Junos or J-series Junos with Enhanced Services Olive - the easy way - a knol by Juniper Hacks

Nice thread. Maybe I should pick up a IP330 just to play around with...

Thanks. At those prices, why not?

[Aldur]

I tried a few different ways, but I couldn't bypass the hardware detection.

ahh too bad. Was worth a shot though. Thanks for trying that out.

[hacksjuniper]

You can also buy ssg320M, ssg350M, ssg520M and ssg550M and put the latest junos on them. They run vpls, mpls l2/l3 vpns, idp, etc. They become an equivalent jseries, the hardware is the same. They are your best bet in my IMHO. I bought one for around $800 US. This is the same code that is on the the new srx line of firewalls. And they will be upgradeable for the forseable future even when Junos 10.0 is released in Q4. The J23XX can only go to 9.3, which iirc does get you vpls and mpls l2/l3 vpns and probably most of the stuff you would be interested in.

The Jseries olives are cool idea, but until we can put an interface into a zone aren't of much use. If someone can figure that out, I have tried trust me, it would most likely make a lot Junos fans very happy.

[seraphus]

You can also buy ssg320M, ssg350M, ssg520M and ssg550M and put the latest junos on them. They run vpls, mpls l2/l3 vpns, idp, etc. They become an equivalent jseries, the hardware is the same. They are your best bet in my IMHO. I bought one for around $800 US. This is the same code that is on the the new srx line of firewalls. And they will be upgradeable for the forseable future even when Junos 10.0 is released in Q4. The J23XX can only go to 9.3, which iirc does get you vpls and mpls l2/l3 vpns and probably most of the stuff you would be interested in.

That's pretty cool.

The Jseries olives are cool idea, but until we can put an interface into a zone aren't of much use.

Agreed (somewhat). Just to clarify for others that may read this, this thread was for M-series Olives.

[tiersten]

You can also buy ssg320M, ssg350M, ssg520M and ssg550M and put the latest junos on them. They run vpls, mpls l2/l3 vpns, idp, etc. They become an equivalent jseries, the hardware is the same. They are your best bet in my IMHO. I bought one for around $800 US. This is the same code that is on the the new srx line of firewalls. And they will be upgradeable for the forseable future even when Junos 10.0 is released in Q4. The J23XX can only go to 9.3, which iirc does get you vpls and mpls l2/l3 vpns and probably most of the stuff you would be interested in.

The Jseries olives are cool idea, but until we can put an interface into a zone aren't of much use. If someone can figure that out, I have tried trust me, it would most likely make a lot Junos fans very happy.

Ahh. Very interesting! Thanks

[kalebksp]

I grabbed an IP330 off eBay after reading this post. Received it a couple weeks ago and just now got it running properly. Oddly the BIOS on my 330 wasn't set to boot from the hard drive (which is particularly confusing because IPSO did boot) and a particular type of null-modem cable is required to see the BIOS on the console port. Additionally, the drive that came with it refused to boot with FreeBSD installed, but a spare hard drive I had worked fine. I ended up attaching a 2 channel cable to the IDE header and installing directly on the 330. It turns out that the power supply on the 330 couldn't handle the hard drive and CDROM, so I grabbed an external drive enclosure I had torn apart and powered the CD off that.

So it was quite and ordeal, but now I have a running 1U Olive and am very pleased with it. This is my first experience with JunOS and I have to say, I'm really digging it. Much more modern and logical than IOS. Anyway, thanks to seraphus for bring this to my attention, it's a very nice solution for labbing.

[seraphus]

Oddly the BIOS on my 330 wasn't set to boot from the hard drive (which is particularly confusing because IPSO did boot) and a particular type of null-modem cable is required to see the BIOS on the console port.

That is weird. I have set up 3 of these from varying sources, all with good experiences.

Additionally, the drive that came with it refused to boot with FreeBSD installed, but a spare hard drive I had worked fine.

Bad drive, perhaps?

I ended up attaching a 2 channel cable to the IDE header and installing directly on the 330. It turns out that the power supply on the 330 couldn't handle the hard drive and CDROM, so I grabbed an external drive enclosure I had torn apart and powered the CD off that.

Good deal!

So it was quite and ordeal, but now I have a running 1U Olive and am very pleased with it. This is my first experience with JunOS and I have to say, I'm really digging it. Much more modern and logical than IOS. Anyway, thanks to seraphus for bring this to my attention, it's a very nice solution for labbing.

Congrats! Building an Olive can be a bit rough.

Thanks for adding your experience!

And yes, building an Olive from scratch can be an "interesting" experience. I would say that a 330 Olive makes it a much easier experience than building a PC Olive... and cheaper too.

[Aldur]

building an Olive from scratch can be an "interesting" experience. I would say that a 330 Olive makes it a much easier experience than building a PC Olive... and cheaper too.

I really wish I would have known about the 330 olive before I ventured down the "build-an-olive" path about 3 years ago. I spent probably around 1000 bucks all said and done not to mention the headache of finding all the parts and building the olives from there...

But I did go a little overboard, at one point I had 14 working olives with 5 dual NIC's in each of them... Funny thing about that too is that an olive will only recognize 8 fxp ports so that 5th dual NIC ended up being useless.

[seraphus]

I really wish I would have known about the 330 olive before I ventured down the "build-an-olive" path about 3 years ago. I spent probably around 1000 bucks all said and done not to mention the headache of finding all the parts and building the olives from there...

But I did go a little overboard, at one point I had 14 working olives with 5 dual NIC's in each of them... Funny thing about that too is that an olive will only recognize 8 fxp ports so that 5th dual NIC ended up being useless.

That's a mountain of olives!

Good to know about the 8 fxp port limitation. In my "traditional" olive I'm using an MATROX NS-QNIC 948-0001 Quad Ethernet PCI Interface, but I may add another one to make it an 8 port olive. We'll see.

[hoogen82]

Can you guys post some pictures... Would love to see your labs..

[seraphus]

IAdditionally, the drive that came with it refused to boot with FreeBSD installed, but a spare hard drive I had worked fine.

FYI:
I had another 330 arrive today, and I ran into this exact issue. The original hard drive was an IBM Deskstar. My 330s that came with Western Digitals had no issues. Looks like I'll be scrounging up another drive for this baby.

[seraphus]

Can you guys post some pictures... Would love to see your labs..

So, I'm no Ansel Adams, but here you go

1 Cisco 2509 (for OOB management, of course)
1 Cisco 2950
1 Juniper J2300
3 Nokia IP330s Olives
1 PC Olive

[Aldur]

Nice setup you got there seraphus. Time to dust off the camera and get some pics of my lab up here too

[seraphus]

Nice setup you got there seraphus. Time to dust off the camera and get some pics of my lab up here too

Thanks!

Hope to have it readied for JNCIS-M/JNCIP-M studies, soon.

I know your lab pics will be sick!

[Ryan82]

This is interesting stuff. I was digging around and found this: Symantec Gateway Security 5420

I wonder if this would work also?

It is 1U as well and it has 6 fast Ethernet connections. Looks like the cheapest one is a little more than the cheapest that you can find a IP330 but may be worth looking into.

[seraphus]

This is interesting stuff. I was digging around and found this: Symantec Gateway Security 5420

I wonder if this would work also?

It is 1U as well and it has 6 fast Ethernet connections. Looks like the cheapest one is a little more than the cheapest that you can find a IP330 but may be worth looking into.

Hi Ryan82,

After a brief search, I wasn't able to locate the hardware specs on this product.

Do you have the hardware specs which list the chipset info for the SGS? Also, does this use a flash drive to store its OS, or an IDE hard drive?

If the chipset on these do not match, you may not be able to pass traffic (assuming you could load JUNOS on it). The chipset on the Ethernet cards/ports in the IP330 happened to match the list at JuniperClue exactly. Flash drives won't work either.

You can compare the specs here: Olive - Juniper Clue

[powercharme]

You can also buy ssg320M, ssg350M, ssg520M and ssg550M and put the latest junos on them. They run vpls, mpls l2/l3 vpns, idp, etc. They become an equivalent jseries, the hardware is the same. They are your best bet in my IMHO. I bought one for around $800 US. This is the same code that is on the the new srx line of firewalls. And they will be upgradeable for the forseable future even when Junos 10.0 is released in Q4. The J23XX can only go to 9.3, which iirc does get you vpls and mpls l2/l3 vpns and probably most of the stuff you would be interested in.

The Jseries olives are cool idea, but until we can put an interface into a zone aren't of much use. If someone can figure that out, I have tried trust me, it would most likely make a lot Junos fans very happy.

What else NetScreen firewalls can be loaded with the JUNOS except those you have mentioned : ssg320M, ssg350M, ssg520M and ssg550M ? I wanna have a try to make some J-series device out of the NetScreen firewalls if it really works ..

[andyh123]

I grabbed an IP330 off eBay after reading this post. Received it a couple weeks ago and just now got it running properly. Oddly the BIOS on my 330 wasn't set to boot from the hard drive (which is particularly confusing because IPSO did boot) and a particular type of null-modem cable is required to see the BIOS on the console port. Additionally, the drive that came with it refused to boot with FreeBSD installed, but a spare hard drive I had worked fine. I ended up attaching a 2 channel cable to the IDE header and installing directly on the 330. It turns out that the power supply on the 330 couldn't handle the hard drive and CDROM, so I grabbed an external drive enclosure I had torn apart and powered the CD off that

sorry if this is cluttering up the sticky thread, I can start a new thread if that would be better ...

I picked up a couple of IP330's off ebay (£0.99!) for oliveizing. I had the same problem with the console with a regular null-modem cable but fortunately they came with the correct cable

I am having trouble getting the install completed, I do the FreeBSD install fine, plus the fs tweaks & the pkg_add, but when I put the drive back into the IP330 it comes up with "missing operating system". it booted the Nokia OS fine before & seems to be configured in BIOS to boot from the primary HDD. the drive is WD. I have tried continuing the install in the regular PC that I'm using for the FreeBSD install (one of my olive PC's) & this works fine

I have only tried one of the boxes so far, I will try the other tomorrow, but if anyone has any bright ideas, they would be much appreciated!

many thanks

~andy