Jesus's Blog Posts

Custom Docker containers in Cisco Modeling Labs!

2025-09-21T00:00:00Z

It's no surprise I'm very fascinated by Docker containers, just ask my wife! So when Cisco Modeling Labs (CML) added support for Docker, you can imagine I was excited for the possibilities that opened up. This new version 2.9 comes with some pretty cool baked-in images like TACPlus, FreeRadius, and even a Dnsmasq server! But what if you want to run your own docker image? Like maybe this same website??

What You Need

An instance of CML 2.9 or higher
A Docker image you'd like to use

Prepping The Image

I deploy this website in production using a Dockerfile and my own container registry, but for brevity's sake, let's assume you have either built your own image already or pulled one from some registry. Either way, we will need to bundle it up to use it in CML.

First let's see what images we have locally. Run docker image ls to verify your image is available.

docker image ls
REPOSITORY                      TAG               IMAGE ID       CREATED        SIZE
git.twk95.com/twk95/11ty-site   latest            11b0c9d9ec70   8 hours ago    131MB
linuxserver/wireguard           latest            6c92a81d85f6   2 days ago     118MB
moby/buildkit                   buildx-stable-1   44f5d48d5c6c   2 months ago   219MB

Use the docker save command to archive the image for CML. We'll be using my twk95/11ty-site image for this example.
```
docker save -o jesus.twk95.com.tar git.twk95.com/twk95/11ty-site:latest
ls
jesus.twk95.com.tar
```
Before we leave the terminal, we have to grab one more thing. Run docker image inspect to output the image's checksum. Keep this handy, as we'll need it in CML.
```
docker image inspect -f '{{ index .Id }}' git.twk95.com/twk95/11ty-site:latest
sha256:11b0c9d9ec70cb97832fa98029cf0e3548466760646d7431c19a4cc427bc83e0
```

Upload to CML

Next, head to CML. Navigate to Tools > Node and Image Definitions > Image Definitions and upload the .tar file we just created. I'm running WSL2, so it is easy enough to open the Linux folder in Windows and upload it to CML.

Create a Node Definition

This next part is lengthy so feel free to download an existing node definition and tweak as needed. Any options not mentioned here are optional. Refer to the CML Node Definition docs for more information.

General

Setting	Value
ID	jesus.twk95.com
Description	My website (Docker)
Nature	server

User Interface

Setting	Value
Prefix	jesus-
Icon	server
Label	jesus.twk95.com

Linux Native Simulation

Setting	Value
Domain Driver	Docker
Simulation Driver	server
Disk Driver	VirtIO
RAM	1024
CPUs	1

Interfaces

Setting	Value
Has a Loopback Interface	False
Number of serial ports	1
Interface 0	eth0

Boot

Setting	Value
Timeout	30 seconds

Provisioning

Setting	Value
Enable Provisioning	Enabled
Media Type	RAW
Configuration Disk Volume Name	cfg
+ ADD FILE
Name	config.json
Editable	Enable
Content	See below
+ ADD FILE
Name	boot.sh
Editable	Enable
Content	See below

config.json

{
  "docker": {
    "image": "git.twk95.com/twk95/11ty-site:latest",
    "mounts": [
      "type=bind,source=cfg/boot.sh,target=/boot.sh"
    ]
  },
  "shell": "/bin/bash",
  "day0cmd": [ "/bin/bash", "/boot.sh" ],
  "busybox": true
}

boot.sh

# insert more commands here
# ip address add dev eth0 10.0.0.1/24
# ip link set dev eth0 up
#
# keep the next line to indicate that the machine is ready
echo "READY" >/dev/console
exit 0

Create an Image Definition

Click on the Create New Image Definition button then use the template below to fill out the form. Again, tweak as needed.

Setting	Value
ID	jesus.twk95.com-v1.4.3
Label	jesus.twk95.com
Description	My website in Docker!
Node Definition	jesus.twk95.com
Disk Image	jesus.twk95.com.tar
Disk Hash	checksum from earlier

Finally ready to test!

Here's the big moment! Create a new lab in CML and add a few things

An external connector, I prefer to use a bridge with my actual network
An unmanaged switch
Your new docker node definition
Optionally, a host to test the container! I'm using the Chrome container

Lab setup

graph LR subgraph "Host Machine" direction TB subgraph "CML" Docker[Custom Docker Node] Switch[Unmanaged Switch] ExtConn[External Connector] Chrome[Chrome Container] Docker <--> Switch Chrome <--> Switch Switch <--> ExtConn end HomeNet[Home Network] ExtConn <--> HomeNet end

Final test

Click the custom Docker container and check the IP address, then use that IP to test your new container! Hopefully all went well, and you can connect to your container from the host machine like below!

Conclusion

It was a lengthy setup, but it is very rewarding seeing my website hosted locally in CML, even if its only purpose is to verify connectivity for my labs. Also big shout out to Jens Albrecht from the Cisco Community Knowledge Base. He made a very in-depth tutorial for Radius in CML 2.9, and this blog post relied heavily on that. Linked below, go mark his post as helpful! And as always, if you have any questions, feel free to reach out!

References

An Eleventy Showcase!

2025-08-30T00:00:00Z

Welcome back to my blog! This one is a brief post. Just a showcase of what Eleventy can do with Markdown!

What is Eleventy?

Eleventy (or 11ty) is a simpler static site generator. It's written in JavaScript and transforms a directory of templates of various types into a folder of plain HTML files. It's known for its flexibility, speed, and the fact that it doesn't ship any client-side JavaScript by default.

Markdown Features

Eleventy has excellent support for Markdown. Here are some examples of what you can do.

Basic Formatting

You can use bold text, italic text, and even both. You can also create links, like this one to the official Eleventy website.

Lists

Unordered list item 1
Unordered list item 2
- Nested item

Ordered list item 1
Ordered list item 2

Code Blocks

You can include inline code like <div> within a sentence. For larger code blocks, you can use fenced code blocks with syntax highlighting:

// This is a JavaScript code block
function greet(name) {
    console.log(`Hello, ${name}!`);
}
greet('World');

Tables

Feature	Description
Templating	Supports over 10 different templating languages.
Data Cascade	Merge data from different sources to use in your templates.

Blockquotes

"The web should be a platform for creativity and expression. Eleventy helps make that a reality."

Markdown Plugins

You can extend Markdown's functionality with plugins. For example, with markdown-it-emoji, you can write things like :tada: and get 🎉.

Templating and Data

Eleventy can use data from JSON or JavaScript files. Imagine you have a _data/users.json file.

[
    { "name": "Alice", "role": "Developer" },
    { "name": "Bob", "role": "Designer" }
    ...
]

You could then use a templating language like Nunjucks within your Markdown file to loop through this data:

Team Members:

Alice - Developer
Bob - Designer
Charlie - Project Manager

Shortcodes

Shortcodes are reusable snippets of content. You could create a shortcode for a callout box like this:

Heads up!

This is a custom callout box created with a shortcode. It's a great way to create reusable components.

Layouts

Layouts allow you to wrap your content in a parent template. For example, this entire page could be a Markdown file that uses a main layout file to provide the header, footer, and overall page structure. This avoids repeating the same HTML in every file.

In your Markdown file's front matter, you would specify the layout like this:

---
layout: post.njk
title: My Awesome Page
---
Your Markdown content goes here...

References:

Junos ZTP with Dnsmasq DHCP in OPNsense

2025-08-14T00:00:00Z

Most people know that DHCP (Dynamic Host Configuration Protocol) is a protocol used to dynamically allocate IP addresses. But did you know that it can be used to configure other host device settings? Network device vendors like Junip... ermm, HPE Networking... take advantage of DHCP to implement "Zero Touch Provisioning" and even perform software upgrades for out-of-the-box devices. Here I will show you how to use OPNsense with Dnsmasq DHCP to "auto-provision" your Junos devices.

Requirements

At least one zeroized Junos device.
A Junos base configuration file saved on an (S)FTP server.
An (S)FTP server in your network reachable by the Junos device(s).
An OPNsense device with Dnsmasq DHCP enabled^[1].
An understanding of OPNsense firewall rules^[2].
A hex converter. Link to the one I used here.^[3].

Junos Base Configuration

Below is a very simple base config to allow SSH, but I highly recommend you set up your own. Try configuring a Junos device once with some basic configuration, then use that to create your own template. Remember, this will apply to all out-of-the-box devices that pull a DHCP address.

system {
    root-authentication {
        encrypted-password "$6$9rdHQ5nJ$ilwzYPYghLkr9mXFVLrXRKnOaj.jhIDwYLT31w0//bunn1JSPUxVNEkGuoBoRinJrMiOKJKLCWsuLmyBcejzD0"; ## SECRET-DATA
    }
    services {
        ssh {
            protocol-version v2;
        }
    }
}
interfaces {
    fxp0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
}

The root password here is set to Tut0ria1!. Feel free to customize your base config as needed! Add non-root users, ssh keys, a management routing instance, name-servers, default routes, the list goes on!

Configuring DHCP Option 43 Suboptions

This is the tricky part that really makes or breaks the setup. Before we start, we have to decide on a few things:

The config filename.
The file transfer method. (FTP, SFTP, etc.)
The character length of #1 and #2.
Any other suboptions you're configuring.

For this example we are using the filename init.conf and the FTP protocol. The filename is 9 characters long and the protocol is 3. Easy enough right?

Playing with hex

To encode all of this info for DHCP option 43, we will need a hex converter to put it all together. The order for combining them is as follows: suboption + length + value. This can be repeated for all suboptions you're configuring.

Heads up!

Be sure to convert integers like the suboption and value length from decimal to hex. Using ASCII to hex can provide different results.

Suboption 1

Junos uses this suboption to set the config filename. For this example, we will use suboption 1 + 9 + init.conf. Converting these to hex individually (with colon separators) becomes 01 + 09 + 69:6E:69:74:2E:63:6F:6E:66

Suboption 3

This suboption is used by Junos devices to specify the file transfer protocol. The same process applies here: convert and combine. Suboption 3 + 3 + FTP becomes 03 + 03 + 66:74:70

Putting it all together

Once you've performed your conversions, combine them all like so: 01:09:69:6E:69:74:2E:63:6F:6E:66:03:03:66:74:70. You should be good to move on to the next step. Unless...

Go the extra mile

If you have physical Junos devices you can also perform a software upgrade using ZTP. Suboptions 0 or 4 can be used to specify a software image for upgrades. Use the same steps as above to convert the suboptions and combine them. More Junos ZTP info here^[4].

OPNsense Settings

Dnsmasq DHCP

This guide assumes you have OPNsense in your network already handing out old boring DHCP leases using Dnsmasq on a predetermined VLAN. If you're already there thankfully OPNsense makes it easy to just add some DHCP options.

DHCP options tab

Navigate to the DHCP Options tab in OPNsense. In the 'Options' section click the plus to add a your first DHCP option.
Configure Option 150 like shown. Be sure to select the interface that your network devices are using and the IP of your FTP server.
Click add again and now we add Option 43 like so. Use the hex value you calculated earlier here.

Firewall rules

OPNsense will open up the port needed for DHCP but you will need to create your own firewall rule for the file transfer protocol you're using.

In this case I am using my NAS to host the FTP server so my config looks like so:

Be sure to apply the changes as needed!

Finally, Zero Touch Provisioning!

Now that you have your configuration file, ftp server, and firewall rules in place you can finally provision your devices!

Connect your Junos devices to management and boot them up! Once up, assuming all goes well, then you should get something like this:

root> 
Auto Image Upgrade: DHCP INET Options for client interface fxp0.0 ConfigFile:
init.conf Gateway: 10.0.0.1 DHCP Server: 10.0.0.1 File Server: 10.0.0.254
 Options state:
Partial Options::Config File set,Image File not set,File Server set
Auto Image Upgrade: Active on INET client interface : fxp0.0
Auto Image Upgrade: Interface::   "fxp0"
Auto Image Upgrade: Server::      "10.0.0.254"
Auto Image Upgrade: Image File::  "NOT SPECIFIED"
Auto Image Upgrade: Config File:: "init.conf"
Auto Image Upgrade: Gateway::     "10.0.0.1"
Auto Image Upgrade: Protocol::    "ftp"
Auto Image Upgrade: FTP timeout set to 7200 seconds
Auto Image Upgrade: Start fetching init.conf file from server 10.0.0.254 through fxp0 using ftp
Auto Image Upgrade: File init.conf fetched from server 10.0.0.254 through fxp0
Auto Image Upgrade: Applying init.conf file configuration fetched from server 10.0.0.254 through fxp0
Broadcast Message from root@VM689D3B3F6F
        (no tty) at 19:29 EDT...
Auto image Upgrade: Stopped
Auto Image Upgrade: Committed Configuration init.conf received from 10.0.0.254 through fxp0

root@VM689D3B3F6F>

For those with a keen eye you may notice that the base config does not have host-name configured. But with the magic of DHCP the device was able to configure its own unique hostname! Now you can use that hostname or the DHCP IP to SSH to the devices using root and Tut0ria1! as the password thanks to our config file!

If at this point you are not seeing successful ZTP logs check your Dnsmasq configuration and be sure the OPNsense firewall rule is working properly. If you have any questions or need help, feel free to reach out!

Conclusion

This setup really helped me create many virtual labs while pursuing my certifications. I hope this tutorial can be helpful to someone starting their own lab. I know I could have used this a long time ago for sure!

This is only the beginning of our automation journey though! In the future I may do a tutorial on how to further automate device-specific settings using other automation tools and inventory files. Stay tuned!