Jaycee's Networking

October 20, 2009

JUNOS Default Policies

Filed under: Junos — Tags: — Jaycee @ 7:51 pm

LS protocol (Link-State protocol): OSPF and ISIS

1. LS default policy:

a. default import policy:

1) accept all routes learned through LS protocol

2) for OSPF, filter external routes from being installed into the route table.

b. default export policy:

1) reject everything

2) for OSPF, LSA flooding is not affected by export policy. The advertisement of local interfaces are enabled to run OSPF, the readvertisement (flooding) of LSAs received fro other routers.

2. RIP default policy:

a. default import policy: accept all received RIP routes that pass a sanity check

b. default export policy: advertise no routes

*You’ll need to create and apply a custom export policy to readvertise RIP learned and direct routes for interfaces running RIP to other RIP speakers.

3. BGP default policy:

a. default import policy: accept all received BGP routes that pass a sanity check

b. default export policy: readvertise all learned BGP routes to all BGP speakers

Advertisements

October 15, 2009

IOS ADs vs JUNOS Preferences

Filed under: IOS, Junos — Tags: , — Jaycee @ 8:17 pm
Source IOS administrative distance JUNOS protocol preference Purpose
Local 0 0 Local IP of the interface
Connected Interface 0 0 Subnet corresponding to the directly connected interface
System Routes 4
Static 1 5 Static routes
RSVP 7 Routes learned from the Resource Reservation Protocol used in MPLS
LDF 8
LDP 9 Routes learned from the Label Distribution Protocol used in MPLS
OSPF internal route 10 OSPF internal routes such as interfaces that are running OSPF
IS-IS Level 1 internal route 15 IS-IS Level 1 internal routes such as interfaces that are running ISIS
IS-IS Level 2 internal route 18 IS-IS Level 2 internal routes such as interfaces that are running ISIS
EBGP 20
Redirects 30 Routes from ICMP redirect
Kernel 40 Routes learned via route socket from kernel
SNMP 50 Routes installed by NMS through the SNMP
Router discovery 55 Routes installed by ICMP Router Discovery
Internal EIGRP 90 Cisco proprietary routing protocol
RIP 100 Routes from Routing Information Protocol (IPv4)
RIPng 100 Routes from Routing Information Protocol (IPv6)
IGRP 100 Internal Gateway Routing Protocol
PIM 105 Routes from Protocol Independent Multicast
DVMRP 110 Routes from Distance Vector Multicast
OSPF 110
IS-IS 115
RIP 120 Routes from Routing Information Protocol
Aggregate 130 Aggregate and generated routes
EGP 140 Routes from Exterior Gateway Protocol
OSPF AS external routes 150 Routes from OSPF that have been redistributed into OSPF
ODR 160 On Demand Routing
IS-IS Level 1 external route 160 Routes from IS-IS Level 1 that have been redistributed into ISIS
IS-IS Level 2 external route 165 Routes from IS-IS Level 2 that have been redistributed into ISIS
BGP 170 Routes from BGP
MSDP 175
External EIGRP 170
iBGP 200
Unknown 255 255

September 29, 2009

Basic Config of JUNOS

Filed under: IS-IS, Junos, OSPF, Static Route — Tags: , — Jaycee @ 7:18 pm

17. The loop argument to the autonomous-system statement allows you to configure tolerance for occurrences of the local ASN in received route updates. It indicates a BGP routing loop and results in the related route being discarded. The default setting of 1 will reject any route with 1 instance of the local AS number. That is, the route with a single instance of the local ASN should be discarded. To support reception of routes with a single instance of the local ASN, specify a loop value of 2.

jc@Junos# set routing-options autonomous-system loops 3

Tolerates as many as 2 instances of the local AS number in received route updates.

16. Martian routes:

jc@Junos> show route martians table inet.0

inet.0:
0.0.0.0/0 exact -- allowed
0.0.0.0/8 orlonger -- disallowed
127.0.0.0/8 orlonger -- disallowed
128.0.0.0/16 orlonger -- disallowed
191.255.0.0/16 orlonger -- disallowed
192.0.0.0/24 orlonger -- disallowed
223.255.255.0/24 orlonger -- disallowed
240.0.0.0/4 orlonger -- disallowed

15. Security:

a. SSH:

jc@Junos> set system services ss

b. Direct broadcast msgs:

Junos doesn’t forwared these msgs to prevent DoS, which are datagrams with a destination address of an IP subnetwork broadcast address.

c. Martian addresses:

Martian addresses are host or network addresses about which all routing information is ignored.

(1) In IPv4: 0.0.0.0/8, 127.0.0.0/8, 128.0.0.0/16, 191.255.0.0/16, 192.0.0.0/24, 223.255.255.0/24, 240.0.0.0/4

(2) In IPv6: the loopback address, the reserved and unassigned prefixes from RFC 2373, and the link-local unicast prefix are the default martian addresses

d. Who’s logged in:

jc@Junos> show system users
jc@Junos> request system logout mike
jc@Junos> request message user mike message "End router session now!"
jc@Junos> request message all message "End router session now!"

e. Who’s configuring:

jc@Junos# status
Users currently editing the configuration:
  fred terminal p0 (pid 13329) on since 2008-03-23 15:15:12 UTC

f. Ensure no one else can modify the router while u’re editing:

jc@Junos# configure exclusive

14. IS-IS:

a. IS-IS runs directly on the data link layer (Layer 2). As a result, each interface that runs IS-IS doesn’t need an IP address to exchange IS-IS information.

b. It was developed as part of the OSI network protocols and not part of TCP/IP, thus IS-IS doesn’t use IP addresses.

c. IS-IS addresses are called NETs (Network Entity Titles). NETs can be 8~20 bytes long, but are generally 10 bytes long:

isis

d. All the routers within an area exchange their network topology information in IS-IS LSPs, and run the SPF calculation to keep their link-state database identical.

e. Routers within an area can send summaries of their routes to other areas in the IS-IS network.

f. Two types of routers:

(1) Level 1 systems: When they receive traffic destined for somewhere outside the area, they send the packet toward a Level 2 system.

(2) Level 2 systems:

(2.1) Route traffic b/w 2 IS-IS areas.
(2.2) They route traffic to other ASs.

g. Configure IS-IS:

jc@Junos> set interfaces ge-1/0/0 unit 0 family iso
jc@Junos> set protocols isis interface ge-1/0/0.0

e. Monitor IS-IS:

jc@Junos> show isis database
jc@Junos> show isis adjacency => displays the neighbors 
jc@Junos> show ospf interface 
jc@Junos> show ospf route
jc@Junos> show route protocol isi

13. OSPF:

a. Link-state protocols run a SPF algorithm to create a database of the network’s topology to determine the best path to a destination.

b. Each router goes through the following process to discover the network topology and determine the best path to each destination:

1) OSPF creates LSAs which describe the network topology that the router has in its link-state database.

2) The router floods the LSAs to all routers in the domain.

3) When the router receives LSAs from other routers, it adds the information to its link-state database.

4) The router runs the Dijkstra SPF calculation to determine the shortest path to each destination in the domain. The result of the calculation is the destination address and the next hop.  OSPF places this information in its OSPF routing database. Each router performs the SPF calculation independently, all routers end up with identical link-state databases thought the routers may have different next hops for the destination.

5) When changes occur in the domain, this information is transmitted in LSAs, and all the OSPF routers rerun the SPF calculation and update their link-state database.

c. As an OSPF network gets larger, one of the challenges is keeping all the link-state statements on all routers in sync. => divide it into smaller areas

1) Each area has the same properties: All the routers within the area exchange their network topology information in LSAs, and this smaller group of routers run the SPF calculation to keep their link-state databases identical.

2) ABRs — run 2 SPF calculations, maintain 2 link-state databases, pass route information between the 2 areas but summarize it before sending it into the neighboring area.

Summarization improves the overall stability of the OSPF network.

3) ASBRs — are responsible to advertise externally learned routes into the OSPF administrative domains.

4) All routers in the OSPF backbone must be physically connected to each other. If any routers aren’t physically contiguous, they must be connected by an OSPF virtual link so that they appear to be contiguous.

5) Area ID 0 is normally written as the 32-bit value 0.0.0.0.

6) Stub areas — receive only summarized routing information about other areas within the OSPF domain, and don’t receive any information about external OSPF routes. => Stub areas can’t connect to external networks.

7) NSSAs — can connect to external networks.

d. Configure OSPF:

[edit protocols]
jc@Junos# set ospf area 0.0.0.0 interface ge-1/3/0.0 authentication md5 123456

e. Monitor OSPF:

jc@Junos> show ospf database
jc@Junos> show ospf database summary
jc@Junos> show ospf database brief
jc@Junos> show ospf database router
jc@Junos> show ospf interface
jc@Junos> show ospf neighbor
jc@Junos> show ospf route
jc@Junos> show ospf overview
jc@Junos> show route protocol ospf

12. RIP:

[edit protocols]
jc@Junos# set rip group fred-group neighbor ge-0/0/1.0

a. All RIP neighbors needs to be part of a group with group keyword. (i.e. fred-group)

jc@Junos> show rip neighbor
                     Source      Destination   Send   Receive   In
Neighbor     State   Address     Address       Mode   Mode     Met
--------     -----   -------     -----------   ----   -------  ---
ge-0/0/1.0      Up 10.0.29.2    224.0.0.9     mcast   both      1

b. The last column reports the inbound metric, which is how many hops will be added to received routes.

11. Default Route Preferences:

How Route is Learned Default Route Preference
Directly connected router or network 0
Configured static routes 5
MPLS 7
LDP (Label Distribution Protocol) 9
OSPF internal routes 10
IS-IS Level 1 internal routes 15
IS-IS Level 2 internal routes 18
SNMP 50
RIP 100
PIM 105
DVMRP 110
Aggregate 130
OSPF external routes 150
IS-IS Level 1 external routes 160
IS-IS Level 2 external routes 165
BGP 170
MSDP 175

a. LDP — MPLS-specific protocol that LSRs can use to exchange information about the labels for each FEC so that they can assign the correct labels to each of their forwarding paths.

1) LSR (Label Switching Router) — a networking device that can run the MPLS protocols

2) LSP (Lable Switched Path) — the end-to-end, unidirectional path established through the MPLS network

3) FEC (Forward Equivalency Class) — the set of IP packets assigned to a particular path and identified by its label

10. Routing Table:

Routing Table Description
inet.0 Default table for IPv4 unicast routes, including configured static routes, RIP, OSPF, IS-IS, and BGP.
inet.1 Multicast forwarding cache, used by DVMRP and PIM
inet.3 Stores paths and label information for traffic engineering (MPLS)
inet.6.0 Default table for IPv6 unicast routes
iso.0 ISO routes for IS-IS
mpls.0 Next hops for MPLS label-switched paths (LSPs)
jc@Junos> show route
inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2.0.0.0/24         *[Direct/0] 9w3d 17:41:54
                    > via ge-0/0/2.0
2.0.0.120/32       *[Local/0] 9w3d 17:41:57
                      Local via ge-0/0/2.0
10.5.0.0/16        *[Static/5] 9w3d 17:41:56
                    > to 10.93.15.254 via fxp0.0
10.10.0.0/16       *[Static/5] 9w3d 17:41:56
                    > to 10.93.15.254 via fxp0.0
10.93.4.52/32      *[Direct/0] 9w3d 17:43:44
                    > via lo0.0
                    [Static/5] 9w3d 17:43:44

__juniper_private1__.inet.0: 14 destinations, 14 routes (8 active, 0 holddown, 6 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.0/8         *[Direct/0] 9w3d 17:43:44
                    > via fxp1.0
10.0.0.1/32        *[Local/0] 9w3d 17:41:57
                      Local

__juniper_private1__.inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

fe80::/64         *[Direct/0] 9w3d 17:43:44
                    > via fxp1.0
fe80::200:ff:fe00:4/128
                  *[Local/0] 9w3d 17:41:57
                     Local via fxp1.0

a. hold-down state — it occurs before a route is removed from the routing table

b. hidden state — it a result of a plicy that you’ve configured on the router a problem with the route

9. Static Route:

[edit routing-options]
jc@Junos# set static route 192.168.1.1 next-hop 10.1.0.1

8. Interface:

[edit]
jc@Junos# set interfaces ge-1/2/0 unit 0 family inet address 192.168.10.40/24
jc@Junos# set ge1-1/3/0 unit 0 family inet6 address::2/64
jc@Junos# set ge-1/3/0 unit 0 family iso

a. four levels:

physical interfaceunit family protocol family

1) unit is a logical interface

2) at least one family on each logical itnerface

3) at least one protocol family on each logical interface to allow it to receive and transmit protocol traffic

b. common protocols on interfaces:

1) inet – for IPv4

2) inet6 – for IPv6

3) iso – for the interfaces that need to support CLNS, which is the ISO network layer service protocol that is used by IS-IS.

4) mpls

7. Traceoptions:

[edit]
jc@Junos# set protocols ospf traceoptions file ospf.log
jc@Junos# set protocols ospf traceoptions flag all
jc@Junos# set security traceoptions flag policy-manager
jc@Junos# set security traceoptions flag general
jc@Junos# set routing-options traceoptions file trace-events world-readable
jc@Junos# set routing-options traceoptions flag all

6. Syslog:

[edit system]
jc@Junos# set syslog file ?
Possible completions:
 <file-name>          Name of file in which to log data
 cli-commands         Name of file in which to log data
 emergency            Name of file in which to log data
 firewall             Name of file in which to log data
 messages             Name of file in which to log data

[edit system]
jc@Junos# set syslog file messages any notice
jc@Junos# set syslog file messages authorization info
jc@Junos# set syslog file cli-commands interactive-commands any
jc@Junos# set syslog file emergency any emergency
jc@Junos# set syslog file firewall firewall notice
Types of Logging Events Logging Se verity Levels
any notice
Any router event General router operational events of more interest than “info”
authorization info
Authentication and authorization attempts General router operation
interactive-commands any
Commands typed at the command-line interface or by a JUNOScript client application All events
any emergency
Errors that cause the router to stop operating
firewall notice
Packet filtering performed by firewall filters

5.RADIUS:

[edit system]
jc@Junos# set radius-server 192.168.10.1 port 1812 secret 123456
jc@Junos# set radius-server 192.168.10.1 timeout 1
jc@Junos# set radius-server 192.168.10.1 retry 1
jc@Junos# set radius-server 192.168.10.1 source-address 192.168.200.2

[edit system]
jc@Junos# show
radius-server {
    192.168.10.1 {
        port 1812;
        secret "$9$SZQUk.fTz6Ct5TcyevLX"; ## SECRET-DATA
        timeout 1;
        retry 1;
        source-address 192.168.200.2;
    }
}

[edit system]
jc@Junos# set authentication-order [ radius password ]

4.  Junos encrypts all passwords and marks them as ## SECRET-DATA. It allows you to hide the fact that a password is even present in the configuration.

[edit system login]
jc@Junos# show | except SECRET-DATA
class operation {
idle-timeout 0;
permissions all;
}
user operation {
full-name "Operation Team";
uid 2000;
class operation;
authentication {
}
}
user jc {
uid 2005;
class operation;
}

3. User Acct:

jc@Junos# set user jc class super-user
jc@Junos# set user jc authentication plain-text-password

2. Banner:

jc@Junos# set system login message "--------------------\nWARNING: Unauthorized access prohibited. --------------------\n"
jc@Junos# set system announcement "Network maintenance announcement."

1. Keyboard shortcuts:

Ctrl+a — move to beginning of command line

Ctrl+e — move to end of command line

Ctrl+k — delete all text from cursor to end of command line

Esc+b — move back one word

Esc+f — move forward one word

Esc+d — delete the word after the cursor

Esc+Backspace — delete the word before the cursor

August 21, 2009

Routing Engine and Packet Forwarding Engine

Filed under: Junos, Routing Design — Tags: — Jaycee @ 5:15 pm

RE (Routing Engine)
PFE (Packet Forwarding Engine)
PIC (PPhysical Interface Card)
FPC (Flexible PIC Concentrator)
SCB (Switching Control Board)

RE - PFE in Juniper router

August 5, 2009

Beginning of JUNOS

Filed under: Junos — Tags: — Jaycee @ 10:00 pm

1. First time login:

root@Junos% cli
root@Junos>

2. Find network topic:

jc@Junos> help topic ospf area-backbone

3. View specific configuration information:

jc@Junos> help reference ospf area

4. Upgrade Junos software:

jc@Junos> show version brief
Hostname: Junos
Model: m10i
JUNOS Base OS boot [9.2-20090320.0]
JUNOS Base OS Software Suite [9.2-20090320.0]
JUNOS Kernel Software Suite [9.2-20090320.0]
JUNOS Crypto Software Suite [9.2-20090320.0]
JUNOS Packet Forwarding Engine Support (M/T Common) [9.2-20090320.0]
JUNOS Packet Forwarding Engine Support (M7i/M10i) [9.2-20090320.0]
JUNOS Online Documentation [9.2-20090320.0]
JUNOS Routing Software Suite [9.2-20090320.0]

jc@Junos> request system software add jbundle-5.3R2.4-domestic-signed.tgz
(domestic -- security jcrypto)
(signed -- MD5)

OR

jc@Junos> request system software add jbundle-5.3R2.4-domestic-signed.tgz reboot

5. Boot Sequence:

boot sequence

a. Display alert msg when booting from HD:

--- NOTICE: System is running on alternate media device (/dev/ad1s1a).

b. Backup Junos and other files to HD:

jc@Junos> request system snapshot

c. contact JTAC if boot from HD

6. About CLI:

jc@Junos> show cli
CLI complete-on-space set to on
CLI idle-timeout disabled
CLI restart-on-upgrade set to on
CLI screen-length set to 49
CLI screen-width set to 98
CLI terminal is 'xterm'
CLI is operating in enhanced mode
CLI timestamp disabled
CLI working directory is '/var/home/netops'

jc@Junos> show cli ?
Possible completions:
<[Enter]>            Execute this command
authorization        Show authorization and authentication information
directory            Show current working directory
history              Show list of previous commands
|                    Pipe through a command
jc@Junos> show cli | ?
Possible completions:
count                Count occurrences
display              Show additional kinds of information
except               Show only text that does not match a pattern
find                 Search for first occurrence of pattern
hold                 Hold text without exiting the --More-- prompt
last                 Display end of output only
match                Show only text that matches a pattern
no-more              Don't paginate output
request              Make system-level requests
resolve              Resolve IP addresses
save                 Save output text to file
trim                 Trim specified number of columns from start of line

7.   Restore old configuration:

a. When router commits a config, it also save the existing configuration to a file (up to 9).
b. Current active config => juniper.conf
c. most recent active config => juniper.conf.1.gz (file #1)

8. Redundancy:

a. by default, router doesn’t automatically enable the backup Routing Engine.

b. enable backup Routing Engine:

jc@Junos# set redundancy failover on-loss-of-keepalives

jc@Junos# show
redundancy {
    failover on-loss-of-keepalives;
}

c. keepalives:

1) If the backup Routing Engine fails to receive keepalives for 20 secs, it enters a message in the messages log file.

2) After 300 secs, default fail-over timer, backup Routing Engine attempts to assumes the master role for the router.

3) When it successed, an alarm is generated to notify you the master Routing failed.

jc@Junos# set redundancy keepalive-time 30

jc@Junos# show
redundancy {
    failover on-loss-of-keepalives;
    keepalive-time 30;
}

4) Both master and backup Routing Engine must be operating the same version of Junos.

July 30, 2009

Commit Junos Configuration

Filed under: Junos — Tags: — Jaycee @ 7:53 am

JUNOS configuratino steps

1. Candidate Configuration: You always enter your configuration or changes as a condidate file.

2. “show|compre“: see exactly changes you made and look for any last-minute typos.

3. “commit check“: The system verifies the logic and completeness of your new configuration entries without activating any changes.

4. “commit confirmed“: If you don’t confirm your changes by entering commit within 10 minutes of activation, the device reverts back to the prior configuration.

5. “rollback“: lets you restore the rescue or any of the prior 50 configurations. A quick rollback is much easier than undoing one command at a time.

June 26, 2009

JUNOS Commands for IOS Users

Filed under: IOS, Junos — Tags: , — Jaycee @ 11:15 pm

A. Basic CLI and Systems Management Commands:

IOS Command JUNOS Command
clock set set date
reload request system reboot
send request message
show clock show system uptime
show environment show chassis environment
show history show cli history
show ip traffic show system statistics
show logging show log
show log file name
show processes show system processes
show running config show configuration
show tech-support request support information
show users show system users
show version show version
show chassis hardware
terminal length set cli screen-length
terminal width set cli screen-width
trace traceroute

B. Switching Commands:

IOS Command JUNOS Command
none show ethernet-switching interfaces
show spanning-tree show spanning-tree bridge
show mac address-table show ethernet-switching table

C. Interface Commands:

IOS Command JUNOS Command
clear counters clear interface statistics
show interfaces show interfaces
show interfaces detail
show interfaces extensive
show ip interface brief show interfaces terse

D. Routing Protocol-Independent Commands:

IOS Command JUNOS Command
clear arp-cache clear arp
show arp show arp
show ip route show route
show ip route summary show route summary
show route-map show policy
show policy policy-name
show tcp show system connections

1. OSPF Commands:

IOS Command JUNOS Command
show ip ospf database show ospf database
show ip ospf interface show ospf interface
show ip ospf neighbor show ospf neighbor

2. BGP Commands:

IOS Command JUNOS Command
clear ip bgp clear bgp neighbor
clear ip bgp dampening clear bgp damping
show ip bgp show route protocol bgp
show ip bgp community show route community
show ip bgp dampened paths show route damping decayed
show ip bgp neighbors show bgp neighbor
show ip bgp neighbors address advertised-routes show route advertising-protocol bgp address
show ip bgp neighbors address received-routes show route receive-protocol bgp address
show ip bgp peer-group show bgp group
show ip bgp regexp show route aspath-regex
show ip bgp summary show bgp summary

Create a free website or blog at WordPress.com.