Jaycee's Networking

September 29, 2009

Basic Config of JUNOS

Filed under: IS-IS, Junos, OSPF, Static Route — Tags: , — Jaycee @ 7:18 pm

17. The loop argument to the autonomous-system statement allows you to configure tolerance for occurrences of the local ASN in received route updates. It indicates a BGP routing loop and results in the related route being discarded. The default setting of 1 will reject any route with 1 instance of the local AS number. That is, the route with a single instance of the local ASN should be discarded. To support reception of routes with a single instance of the local ASN, specify a loop value of 2.

jc@Junos# set routing-options autonomous-system loops 3

Tolerates as many as 2 instances of the local AS number in received route updates.

16. Martian routes:

jc@Junos> show route martians table inet.0

inet.0:
0.0.0.0/0 exact -- allowed
0.0.0.0/8 orlonger -- disallowed
127.0.0.0/8 orlonger -- disallowed
128.0.0.0/16 orlonger -- disallowed
191.255.0.0/16 orlonger -- disallowed
192.0.0.0/24 orlonger -- disallowed
223.255.255.0/24 orlonger -- disallowed
240.0.0.0/4 orlonger -- disallowed

15. Security:

a. SSH:

jc@Junos> set system services ss

b. Direct broadcast msgs:

Junos doesn’t forwared these msgs to prevent DoS, which are datagrams with a destination address of an IP subnetwork broadcast address.

c. Martian addresses:

Martian addresses are host or network addresses about which all routing information is ignored.

(1) In IPv4: 0.0.0.0/8, 127.0.0.0/8, 128.0.0.0/16, 191.255.0.0/16, 192.0.0.0/24, 223.255.255.0/24, 240.0.0.0/4

(2) In IPv6: the loopback address, the reserved and unassigned prefixes from RFC 2373, and the link-local unicast prefix are the default martian addresses

d. Who’s logged in:

jc@Junos> show system users
jc@Junos> request system logout mike
jc@Junos> request message user mike message "End router session now!"
jc@Junos> request message all message "End router session now!"

e. Who’s configuring:

jc@Junos# status
Users currently editing the configuration:
  fred terminal p0 (pid 13329) on since 2008-03-23 15:15:12 UTC

f. Ensure no one else can modify the router while u’re editing:

jc@Junos# configure exclusive

14. IS-IS:

a. IS-IS runs directly on the data link layer (Layer 2). As a result, each interface that runs IS-IS doesn’t need an IP address to exchange IS-IS information.

b. It was developed as part of the OSI network protocols and not part of TCP/IP, thus IS-IS doesn’t use IP addresses.

c. IS-IS addresses are called NETs (Network Entity Titles). NETs can be 8~20 bytes long, but are generally 10 bytes long:

isis

d. All the routers within an area exchange their network topology information in IS-IS LSPs, and run the SPF calculation to keep their link-state database identical.

e. Routers within an area can send summaries of their routes to other areas in the IS-IS network.

f. Two types of routers:

(1) Level 1 systems: When they receive traffic destined for somewhere outside the area, they send the packet toward a Level 2 system.

(2) Level 2 systems:

(2.1) Route traffic b/w 2 IS-IS areas.
(2.2) They route traffic to other ASs.

g. Configure IS-IS:

jc@Junos> set interfaces ge-1/0/0 unit 0 family iso
jc@Junos> set protocols isis interface ge-1/0/0.0

e. Monitor IS-IS:

jc@Junos> show isis database
jc@Junos> show isis adjacency => displays the neighbors 
jc@Junos> show ospf interface 
jc@Junos> show ospf route
jc@Junos> show route protocol isi

13. OSPF:

a. Link-state protocols run a SPF algorithm to create a database of the network’s topology to determine the best path to a destination.

b. Each router goes through the following process to discover the network topology and determine the best path to each destination:

1) OSPF creates LSAs which describe the network topology that the router has in its link-state database.

2) The router floods the LSAs to all routers in the domain.

3) When the router receives LSAs from other routers, it adds the information to its link-state database.

4) The router runs the Dijkstra SPF calculation to determine the shortest path to each destination in the domain. The result of the calculation is the destination address and the next hop.  OSPF places this information in its OSPF routing database. Each router performs the SPF calculation independently, all routers end up with identical link-state databases thought the routers may have different next hops for the destination.

5) When changes occur in the domain, this information is transmitted in LSAs, and all the OSPF routers rerun the SPF calculation and update their link-state database.

c. As an OSPF network gets larger, one of the challenges is keeping all the link-state statements on all routers in sync. => divide it into smaller areas

1) Each area has the same properties: All the routers within the area exchange their network topology information in LSAs, and this smaller group of routers run the SPF calculation to keep their link-state databases identical.

2) ABRs — run 2 SPF calculations, maintain 2 link-state databases, pass route information between the 2 areas but summarize it before sending it into the neighboring area.

Summarization improves the overall stability of the OSPF network.

3) ASBRs — are responsible to advertise externally learned routes into the OSPF administrative domains.

4) All routers in the OSPF backbone must be physically connected to each other. If any routers aren’t physically contiguous, they must be connected by an OSPF virtual link so that they appear to be contiguous.

5) Area ID 0 is normally written as the 32-bit value 0.0.0.0.

6) Stub areas — receive only summarized routing information about other areas within the OSPF domain, and don’t receive any information about external OSPF routes. => Stub areas can’t connect to external networks.

7) NSSAs — can connect to external networks.

d. Configure OSPF:

[edit protocols]
jc@Junos# set ospf area 0.0.0.0 interface ge-1/3/0.0 authentication md5 123456

e. Monitor OSPF:

jc@Junos> show ospf database
jc@Junos> show ospf database summary
jc@Junos> show ospf database brief
jc@Junos> show ospf database router
jc@Junos> show ospf interface
jc@Junos> show ospf neighbor
jc@Junos> show ospf route
jc@Junos> show ospf overview
jc@Junos> show route protocol ospf

12. RIP:

[edit protocols]
jc@Junos# set rip group fred-group neighbor ge-0/0/1.0

a. All RIP neighbors needs to be part of a group with group keyword. (i.e. fred-group)

jc@Junos> show rip neighbor
                     Source      Destination   Send   Receive   In
Neighbor     State   Address     Address       Mode   Mode     Met
--------     -----   -------     -----------   ----   -------  ---
ge-0/0/1.0      Up 10.0.29.2    224.0.0.9     mcast   both      1

b. The last column reports the inbound metric, which is how many hops will be added to received routes.

11. Default Route Preferences:

How Route is Learned Default Route Preference
Directly connected router or network 0
Configured static routes 5
MPLS 7
LDP (Label Distribution Protocol) 9
OSPF internal routes 10
IS-IS Level 1 internal routes 15
IS-IS Level 2 internal routes 18
SNMP 50
RIP 100
PIM 105
DVMRP 110
Aggregate 130
OSPF external routes 150
IS-IS Level 1 external routes 160
IS-IS Level 2 external routes 165
BGP 170
MSDP 175

a. LDP — MPLS-specific protocol that LSRs can use to exchange information about the labels for each FEC so that they can assign the correct labels to each of their forwarding paths.

1) LSR (Label Switching Router) — a networking device that can run the MPLS protocols

2) LSP (Lable Switched Path) — the end-to-end, unidirectional path established through the MPLS network

3) FEC (Forward Equivalency Class) — the set of IP packets assigned to a particular path and identified by its label

10. Routing Table:

Routing Table Description
inet.0 Default table for IPv4 unicast routes, including configured static routes, RIP, OSPF, IS-IS, and BGP.
inet.1 Multicast forwarding cache, used by DVMRP and PIM
inet.3 Stores paths and label information for traffic engineering (MPLS)
inet.6.0 Default table for IPv6 unicast routes
iso.0 ISO routes for IS-IS
mpls.0 Next hops for MPLS label-switched paths (LSPs)
jc@Junos> show route
inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2.0.0.0/24         *[Direct/0] 9w3d 17:41:54
                    > via ge-0/0/2.0
2.0.0.120/32       *[Local/0] 9w3d 17:41:57
                      Local via ge-0/0/2.0
10.5.0.0/16        *[Static/5] 9w3d 17:41:56
                    > to 10.93.15.254 via fxp0.0
10.10.0.0/16       *[Static/5] 9w3d 17:41:56
                    > to 10.93.15.254 via fxp0.0
10.93.4.52/32      *[Direct/0] 9w3d 17:43:44
                    > via lo0.0
                    [Static/5] 9w3d 17:43:44

__juniper_private1__.inet.0: 14 destinations, 14 routes (8 active, 0 holddown, 6 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.0/8         *[Direct/0] 9w3d 17:43:44
                    > via fxp1.0
10.0.0.1/32        *[Local/0] 9w3d 17:41:57
                      Local

__juniper_private1__.inet6.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

fe80::/64         *[Direct/0] 9w3d 17:43:44
                    > via fxp1.0
fe80::200:ff:fe00:4/128
                  *[Local/0] 9w3d 17:41:57
                     Local via fxp1.0

a. hold-down state — it occurs before a route is removed from the routing table

b. hidden state — it a result of a plicy that you’ve configured on the router a problem with the route

9. Static Route:

[edit routing-options]
jc@Junos# set static route 192.168.1.1 next-hop 10.1.0.1

8. Interface:

[edit]
jc@Junos# set interfaces ge-1/2/0 unit 0 family inet address 192.168.10.40/24
jc@Junos# set ge1-1/3/0 unit 0 family inet6 address::2/64
jc@Junos# set ge-1/3/0 unit 0 family iso

a. four levels:

physical interfaceunit family protocol family

1) unit is a logical interface

2) at least one family on each logical itnerface

3) at least one protocol family on each logical interface to allow it to receive and transmit protocol traffic

b. common protocols on interfaces:

1) inet – for IPv4

2) inet6 – for IPv6

3) iso – for the interfaces that need to support CLNS, which is the ISO network layer service protocol that is used by IS-IS.

4) mpls

7. Traceoptions:

[edit]
jc@Junos# set protocols ospf traceoptions file ospf.log
jc@Junos# set protocols ospf traceoptions flag all
jc@Junos# set security traceoptions flag policy-manager
jc@Junos# set security traceoptions flag general
jc@Junos# set routing-options traceoptions file trace-events world-readable
jc@Junos# set routing-options traceoptions flag all

6. Syslog:

[edit system]
jc@Junos# set syslog file ?
Possible completions:
 <file-name>          Name of file in which to log data
 cli-commands         Name of file in which to log data
 emergency            Name of file in which to log data
 firewall             Name of file in which to log data
 messages             Name of file in which to log data

[edit system]
jc@Junos# set syslog file messages any notice
jc@Junos# set syslog file messages authorization info
jc@Junos# set syslog file cli-commands interactive-commands any
jc@Junos# set syslog file emergency any emergency
jc@Junos# set syslog file firewall firewall notice
Types of Logging Events Logging Se verity Levels
any notice
Any router event General router operational events of more interest than “info”
authorization info
Authentication and authorization attempts General router operation
interactive-commands any
Commands typed at the command-line interface or by a JUNOScript client application All events
any emergency
Errors that cause the router to stop operating
firewall notice
Packet filtering performed by firewall filters

5.RADIUS:

[edit system]
jc@Junos# set radius-server 192.168.10.1 port 1812 secret 123456
jc@Junos# set radius-server 192.168.10.1 timeout 1
jc@Junos# set radius-server 192.168.10.1 retry 1
jc@Junos# set radius-server 192.168.10.1 source-address 192.168.200.2

[edit system]
jc@Junos# show
radius-server {
    192.168.10.1 {
        port 1812;
        secret "$9$SZQUk.fTz6Ct5TcyevLX"; ## SECRET-DATA
        timeout 1;
        retry 1;
        source-address 192.168.200.2;
    }
}

[edit system]
jc@Junos# set authentication-order [ radius password ]

4.  Junos encrypts all passwords and marks them as ## SECRET-DATA. It allows you to hide the fact that a password is even present in the configuration.

[edit system login]
jc@Junos# show | except SECRET-DATA
class operation {
idle-timeout 0;
permissions all;
}
user operation {
full-name "Operation Team";
uid 2000;
class operation;
authentication {
}
}
user jc {
uid 2005;
class operation;
}

3. User Acct:

jc@Junos# set user jc class super-user
jc@Junos# set user jc authentication plain-text-password

2. Banner:

jc@Junos# set system login message "--------------------\nWARNING: Unauthorized access prohibited. --------------------\n"
jc@Junos# set system announcement "Network maintenance announcement."

1. Keyboard shortcuts:

Ctrl+a — move to beginning of command line

Ctrl+e — move to end of command line

Ctrl+k — delete all text from cursor to end of command line

Esc+b — move back one word

Esc+f — move forward one word

Esc+d — delete the word after the cursor

Esc+Backspace — delete the word before the cursor

Advertisements

May 16, 2009

IP Routing Overview 2/2

Filed under: IOS, Static Route — Tags: — Jaycee @ 1:07 am

A. Routing Protocols:

1. EGPs are much more complicated than IGPs because they handle more routing information while performing better route summarization.

2. Distance-Vector and Link-State Routing Protocols:

a. Distance-Vector Protocols:

(1) They provide 2 information for every route: a distance (metric) and a vector (next-hop).
(2) A lower metric value means a better route.

b. Link-State Routing Protocols:

(1) They build network topology on each router and broadcast only changes to the entire network.
(2) Link-State information saves network bandwidth by reducing the amount of routing traffic needed for routing updates.

3. Administrative Distance:

a. Each route is assigned an administrative distance, based on how the route was learned.

b. Think of the route’s metric as the preference of a route, while the administrative distance is the preference of how the route was discovered.

c. A route to a network attached to a directly connected interface is the most preferred route.

B. Split Horizon:

1. Stop routing loops by telling the router NOT to advertise routes out the same interface which the route was originally learned.

=> If a router learns about a route on a particular interface, it doesn’t broadcast that route information out that interface.

2. Split horizon can’t prevent routing loops involving 3 or more routers, but it’s effective at preventing loops b/w 2 routers.

3. Split horizon is enabled by default on most interfaces.

4. Should disable split horizon on a multipoint subinterface.

5. Disable split horizon on a multipoint subinterface.

no ip split-horizon

6. Routing protocols can often work out routing loops on their own; however, split horizon solves the problem more efficiently because it prevents the loops from developing in the first place.

C. Static Routing:

1. Use interface:

ip route 10.35.15.5 255.255.255.255 Etherenet0

It sends packets destined to the single host 10.35.15.5  out through the Ethernet0 interface. The router will need to figure out which device on this segment to forward the packet to because it must put the MAC address of the next-hop router in the Layer 2 frame header.

The standard mechanism for associating IP addresses with MAC address is ARP (Address Resolution Protocol). The router will send out an ARP request broadcast on the Ethernet segment.

If the device that owns the packet’s destination IP happens to be on this segment, it’ll respond with its MAC address. Otherwise, a router configured for proxy ARP will have to respond on its behalf. If you dont have proxy ARP configured on the next-hop router, this command will fail.

For multiple access media such as Ethernet segments, It’s beeter to specifying the IP address of the next-hop router rather than the interface.

2. “permanent” keyword

ip route 172.16.0.0 255.255.0.0 10.35.6.1 permanent

It ensures the static route always remains in the routing table,, even if the next-hope interface is down.

There is a danger that the dynamic routing protocol will install a route that you dont want to use, so it may be preferable to drop the packets rather than to use the dynamic route.

3. Routing tags:

ip route 172.16.0.0 255.255.0.0 10.35.6.1 tag 36291

Routing tags are used when redistributing from one routing protocol to another.

4. Administrative Distance value:

ip route 172.16.0.0 255.255.0.0 10.35.6.1 5

The router will use this distance value to decide between routes to the same destination prefix from different sources.

5. Floating Static Routes:

ip route 10.0.0.0 255.0.0.0 172.16.1.1 190

Router will use a floating static route for a particular network prefix ONLY IF that same route is not available from the dynamic routing protocol. It can be accomplished by setting the AD (administrative distance) of the static route to a value gureater than AD of the dynamic routing protocol.

*Remember: the router will always use the route that has the most precise match (longest netmask).

For example, if the router has learned a route for 10.35.15.0/24 from OSPF, and also has a static route for 10.35.15.0/17 with AD=190, it’ll use the static route even it has a higher AD.

*The AD is only used to decide between competing routes of the same mask length.

Floating static routes are often used to trigger automated backup mechanisms when the routing protocol fails.

6. Using Policy-based Routing to route based on Source address:

access-list 1 permit 10.15.35.0 0.0.0.255
access-list 2 permit 10.15.36.0 0.0.0.255
interface Ethernet0
 ip address 10.15.22.7 255.255.255.0
 ip policy route-map Engineers
 ip route-cache policy
route-map Engineers permit 10
 match ip address 1
 set ip next-hop 10.15.27.1
 set ip next-hop verify-availability
route-map Engineers permit 20
 match ip adddress 2
 set default next-hop 10.15.47.1
 (set default interface Null0)

Policy-based routing allows you to configure special routing rules beyond the normal Ip routing table.

*Every route map ends with an implicit deny all.

next-hop verify-availability” uses CDP. You have to ensure that CDP is enabled on the interface leading to this next-hop device. (That device must be another Cisco router and running CDP.)  This verification process can cause performance problems. Furthermore, CDP uses long timeout period by default (180 seconds), so it’s slow to respond to failures.

default next-hop” forces the router to discard the packets rather than using the router’s general default gateway.

ip route-cache policy” tells the router to use fast switching rather than process switching when processing policy command.

Because policy-based routing overrides the normal routing tables within the router, it can result in some confusing troubleshooting problems. Such as trying to ping from the router. The ICMP packets originating on the router will not be subject to the routing policy. So, you may find that you can ping, but that application doesn’t work for certain users.

*Recommend AVOID policy-based routing.

Blog at WordPress.com.