Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
JNCIA-Junos (JN0-103) summary

JNCIA-Junos (JN0-103) summary

v1.0

Author: Anton Chmutov Derevianko sir.antoxic@gmail.com

Product portfolio

Routers

  • M Series - first product by Juniper Networks, multiservice router (routing and MPLS services, no switches) Designed for enterprise and service providers.
  • T Series - no switching, only routing, old, performance upgrade for M. High end and core routers.
  • MX Series - universal routing platform used for routing and also switching. Featured a Trio chipset. High throughput.
  • J series - used for small offices and have integrated security (similar to SRX but older).
  • PTX series - packet transfer routers. High bandwidth, for core, Tbps throughput. Optimized for core and data centers.
  • ACX Series - Universal Access Router - optimized for metro network architecture, access aggregation, LTE deployments, mobile backhaul.
  • SRX - Service Gateway devices. Firewall, switch, WiFi, 3G, VoIP, Routing. All in one platform.

Switches

  • EX - L3 switches
  • QFX - data center switches
  • OCX - recent switches, focused on open, disaggregated networking systems

SDN

  • NFX250 - network services platform. Used as CPE. Virtualized security appliance with native SRX Series software.
  • NorthStart Controller - SND controller for traffic engineering (optimization). It automates the control of segment routing and IP/MPLS flows.
  • IP/MPLSView is a multivendor, multiprotocol, and multilayer operations support systems (OSS) traffic management and traffic engineering solution for IP and/or MPLS networks
  • Contrail - SDN controller for network management and orchestration from the cloud.

Juniper abbreviations and terminology

  • Control plane - The control plane is the router's brain and its computational element. Usually implemented on a Routing Engine (RE)
  • RE - Routing engine - Responsible for OSPF, SSH, etc... Has a kernel, it is an x86 with flash, SSD and RAM. Processes exception traffic (routing protocol updates, management traffic for the RE an packets with IP options). Is connected to the line cards with an internal ethernet switch (show chassis ethernet switch). The internal link has a built-in rate limiter that is not configurable and protects against DoS attacks.
  • FP - Forwarding Plane. It is a set of linecards interconnected by a switch fabric, that together represent the forwarding plane (also called the data plane).
  • PFE - Packet Forwarding Engine, the intelligent component of the forwarding plane. One line card can have multiple PFE. Runs on ASICs for increased performance. Uses Layer 2 and Layer 3 forwarding tables to forward traffic toward its destination. Implements various services such as policing, stateless firewall filtering, and class of service.
  • SCB - Switch Control Board. It has three primary functions: switch data between the line cards, control the chassis, and house the routing engine (RE is usually inserted into this card).
  • RT - Routing table. Contains all the valid routes. It is located in the RE and updated by routing protocols. Also referred as RIB - Routing information base.
  • FT - Forwarding table. Contains all the active (best) routes from the RT. It is located and used by PFE. Also referred as FIB - Forwarding information base. The RE is responsible of updating this table in all installed PFE.
  • Route Preference is also known as an administrative distance in Cisco.
  • Metric is used to select best route when the preference is the same, i.e.: when both routes are learned via the same protocol they will have same preference but they may have different metric.
  • FPC - Flexible PIC Concentrator. Referred as linecard (ge-1/0/0, ge-2/0/0).
  • PIC - Physical Interface Card. Logical port separation on the line card (ge-3/0/0, ge-3/1/0).
  • MIC - Modular Interface Card. MICs provide the physical connections to various network media types. MICs allow different physical interfaces to be supported on a single line card. An FPC port can be separated into few parts allowing to plug multiple PICs into it, one MIC could contain ethernet ports and another ATM ports.
  • Interface ge-0/2/3 = physical Gigabit Ethernet port 3 of a Gigabit Ethernet PIC in slot 2 on FPC 0
  • Line card types:
    • DPC - Dense Port Concentrator.
    • DPCE - Dense Port Concentrator Enhanced card.
    • MPC - Modular Port Concentrator. Inserted into FPC. Second-generation high-density and high-speed line cards .
    • MS-MIC/MPC - Multiservice MIC/MPC. Can offer services as PAT and IPSec. Normal line cards some times does not have those services so a separate card is required.
    • Different plattforms use different names for line cards and interface cards, but the CLI almos always refers to them as FPC and PIC.
  • Transient interface - Interface that belong to a MIC. They are referred to as transient because you can hot-swap a line card or MIC card at any time.
  • PEM - Power Entry Module (Power supply)

Junos versions

19.1 R 2.1
 ^ ^ ^ ^ ^
 | | | | + spin number
 | | | + build number
 | | + software release
 | + minor release number 
 + main release number

Release types: X - Security focused release (special eXception). R - Maintenance release. Released about every eight weeks to fix a collection of issues. No features added. S - Service release. Released on demand to fix critical issues that will be addressed by mantenance release. F - Feature velocity release. Introduce innovative features that later on will be added to a next minor release.

FreeBSD terminology

  • IFD — interface device — physical port on the device (xe-0/0/0)
  • IFL — interface logical — number of the logical unit (unit 0)
  • IFF — interface family (family inet)
  • IFA — interface address — network address (10.0.0.1)

FreeBSD daemons

  • DCD - Device Configuration Daemon. Controls both the physical and logical properties of the interfaces.
  • PPMD - Periodic packet manager. Responsible of processing protocol keepalives, hellos, etc...
  • RPD - Routing Protocol Daemon. Its functionality includes all protocol messages, routing table updates, and implementation of routing policies. Restart using process restart routing
  • MGD - Management Daemon. Controls all user access to the router. For example, the user’s CLI is a client of mgd.
  • CHASSISD - Chassis Daemon. Controls the properties of the router itself, including the interaction of the passive midplane, the FPCs, and the control boards.
  • PFED - Packet Forwarding Engine Daemon. Controls the communication between the Packet Forwarding Engine and the Routing Engine.

CLI user interface

Keyboard shortcuts

Sequence Action
Alt + b Move the cursor back one word
Alt + f Move the cursor forward one word
Ctrl + a Move the cursor to the beginning of the command line
Ctrl + e Move the cursor to the end of the command line
Ctrl + d Delete the character at the cursor
Ctrl + k Delete the all characters from the cursor to the end of the command line
Ctrl + u Delete the all characters from the command line
Ctrl + w Delete the word before the cursor
Alt + d Delete the word after the cursor

CLI settings

set cli screen-length <length> number of lines of text that the terminal screen displays. The point at which the ---(more)--- prompt appears on the screen is a function of this setting. Executed from operational mode.

Configuration modes

  • configure or edit - If you and another user make changes and another user commits it's changes while you are editing, your changes are committed as well.
  • configure private - If the configuration has been modified by another user, you can merge the modifications into your private candidate configuration and attempt to commit again.
  • configure exclusive - Configure exclusive only allows one user to be making changes at a time.

Configuration mode commands

  • delete delete all the contents from the current config block
  • up go up one level
  • up <x> move up the specified number of levels in the configuration hierarchy.
  • up <number> <configuration-command> issue configuration mode commands from a location higher in the hierarchy.
  • exit exit configuration mode from the top level
  • exit configuration-mode exit configuration from any level
  • top go to the top of configuration
  • top show top can be combined with other commands
  • copy existing-statement to new-statement make a copy of an existing statement in the configuration.
  • replace pattern <pattern> with <new_value> a pattern inside of a config block can be replaced. This is similar to 'find and replace' used in text editors. Very helpful when ordering terms in - filtersinsert term 2 before term 1 at the [edit policy-options policy-statement XXXXXX] hierarchy level to change statement order after the term is created.
  • wildcard delete <statement-path> <identifier> <regular-expression> Delete a statement or identifier. wildcard delete interface ge-0/0/* deletes all the interfaces starting with ge-0/0/*
  • deactivate interfaces ge-0/0/0 Deactivates the configuration of the specified block
  • set interfaces ge-0/0/0 disable Shut down the physical interface, deactivate will only deactivate config, not the physical interface.
  • annotate <statement> <comment string> Add comments to a configuration.

Viewing and comparing the Configuration

  • show | display set display the configuration as a series of configuration mode commands required to re-create the configuration from the top level of the hierarchy as set commands.
  • show | display set relative display configuration relative to the current hierarchy level.
  • show | display inheritance display configuration with config groups applied.
  • show | display xml display config in xml/netconf format.
  • show | display detail display command description and usage
  • show | display inheritance include inherited configuration
  • show | display omit include omitted blocks
  • show | except <regexp> show only text that does not match a pattern
  • show | find <regexp> search for first occurrence of pattern
  • show | match <regexp> show only text that matches a pattern
  • show | hold hold text without exiting the --More-- prompt
  • show | no-more displays all content at once without pagination
  • show | last display end of output only
  • show | resolve resolve IP addresses
  • show | save save output text to file
  • show | tee write to standard output and file
  • show | trim <n-columns> trim specified number of columns from start of line
  • show | compare compare running configuration with the candidate

Load and save configuration using terminal (from the current hierarchy)

In configuration mode:

  • save terminal print the current config to terminal
  • load merge|override|replace|update|patch terminal [relative] load the config (with braces and hierarchy) from terminal. override deletes the entire config and replaces it with a new one while replace only replaces the existing statements defined in the loaded config.
  • save <filename> save configuration to file. If no path name specified, it will save to /var/home/username
  • save [ftp://|scp://] configuration could be saved to a network resource
  • load factory-default load factory default configuration

Load configuration from file

  • load merge 'filename' load configuration from filename. Partial configuration should be loaded from the right config hierarchy level
  • load merge 'filename' relative let the system detect the right level to insert the changes
  • load override 'filename' replace the configuration with the configuration from the file

Saving changes

Edit mode creates a candidate configuration which will become active after issuing a commit command.

  • commit commit current changes.
  • commit and-quit commit and return to privileged mode.
  • commit check checks but does not applies the candidate config.
  • commit confirmed X applies the candidate config but for a specified amount of minutes (10 by default). If there is no commit issued after X minutes, the applied configuration is reverted.
  • commit comment "changed bla bla bla" add a comment to the commit.
  • commit at time configuration will be scheduled to commit at specified time.
  • clear system commit remove the scheduled commit.
  • show system commit shows scheduled system commits.
  • commit synchronize commit and sync the config on both RE. set system commit synchornize forces to synchronize the config on each commit automatically.

Rollback

  • show system commit show information about all previous commits with the commit messages
  • rollback 1 overwrite the candidate config with the previous one. Won't apply until commit is issued
  • rollback 0 or rollback reset all changes made by candidate config. Won't apply until commit is issued
  • set max-configurations-on-flash <x> specify the amount of config versions to save (defaults to 50)

Comparing configuration

  • From privileged mode
    • show system rollback 3 compare 1 compare third rollback configuration with the first one
    • show configuration | compare rollback x compare current configuration with a rollback configuration
  • From configuration mode
    • show | compare rollback 3 compare candidate configuration with a rollback configuration

Rescue configuration

  • request system configuration rescue save save current configuration as rescue
  • request system configuration rescue delete delete current rescue configuration
  • show system configuration rescue show rescue configuration
  • rollback rescue revert changes to the recue config
  • file show /config/rescue.conf.gz show the file which contains the rescue configuration

Using CLI help

  • help topic routing-options static show command usage guidelines (very detailed)
  • help reference routing-options static show command summary information (syntax, default parameters and allowed value ranges, the configuration level at which the command can be entered)
  • help apropos <text> find a list of all configuration-mode commands that contain a particular text string
  • help syslog <MESSAGE_CODE> message code documentation

Working with files

  • file list <dir> show file list in specified directory
  • file show <filename> show contents of a file
  • file compare files <file1> <file2> compare two files
  • file delete <filename>

Shell

  • start shell go to Free BSD cli
  • start shell pfe network fpc0 go to shell of the line card management console

Configuration Basics

Factory reset

Reset configuration only

configure
load factory-default /* replace current config with the factory default config */
set system root-authentication plain-text-password /* Junos will not let you commit without setting the root password */
commit and-quit

Full factory reset

request system zeroize hard factory reset, deletes logs and some files

User accounts and login classes

Authentication methods

set system authentication-order [radius password] password method will be used if radius denies access. If we don't specify "password", we will only fallback to password if radius is not available (we won't fallback if radius rejects the credentials)

Radius server configuration

system radius server 1.1.1.1 {
  secret xxx
}

Permission control granularity

+User - defines authorization parameters
|--+Class - named container that groups permission flags
   |--+Permission flags - predefined sets of related commands
      |--Deny and Allow overrides - define exceptions for commands and config statements

Junos predefined login classes

Login Class Permission Flag Set
operator clear, network, reset, trace, and view
readonly view
superuser or super-user all
unauthorized None

Creating users

Create user Bla with a super-user class

configure
edit system login
set user Bla class super-user
set user Bla authentication plain-text-password <xxxx>
commit and-quit

Changing custom classes

Note: deny statements are checked before allow statements.

edit system login
set class CustomClass permissions [...] /* create custom user class with specified permission flags */
set class CustomClass deny-commmands "(regular-expression)|(regular-expression1)..." /* explicitly deny specified operational mode commands */
set class CustomClass allow-commmands "(regular-expression)|(regular-expression1)... /* explicitly allow specified operational mode commands */
set class CustomClass deny-configuration "regular-expression)|(regular-expression1)..." /* explicitly deny configuration access to the specified levels in the hierarchy */
set class CustomClass allow-configuration "interfaces|firewall" /* explicitly allow configuration access to the specified levels in the hierarchy */

Changing user home directory

From operational mode:

set cli directory <dir>

List user files: file list /var/home/Bla

Configuration groups

configure
edit groups
all-atm {
  interfaces {
    <at-*> {
      encapsulation atm-pvc;
      atm-options {
        ...
      }
      unit 100 {
        point-to-pint;
        ...
      }
    }
  }
}
top
edit interfaces
apply-groups all-atm;
commit and-quit

Verification:

  • show interfaces at-0/0/1 | display inheritance shows the config with all the applied configuration from groups and also comments of which element was inherited from which apply group
  • show interfaces at-0/0/1 | display inheritance except # exclude comments related to inherited statements

Logging

Each system log message belongs to a facility, which groups together messages that either are generated by the same source (such as a software process) or concern a similar condition or activity (such as authentication attempts). Each message is also preassigned a severity level, which indicates how seriously the triggering event affects routing platform functions.

Configuration:

configure
edit system syslog
set user Bla any any /* Send any type of message of any type of severity to user's console. */
set host <x.x.x.x> 'facility' 'severity' /* Send messages to a syslog server */
set file messages 'facility' 'severity' /* Save messages in the 'messages' log file */
set console 'facility' 'severity' /* Send messages to the system console */
commit and-quit

The Junos default configuration includes the interactive-commands and messages files configuration. The interactive-commands log file stores the interactive-commands facility events (commands issued at the Junos command-line or by a client application). The messages log file saves events that occurs in the system (routine operations, failures and errors, emergency and critical conditions).

NOTE: change-log facility allows to log changes to the Junos configuration. interactive-commands logs only priviledged mode commands.

Verification:

  • help syslog <MESSAGE_CODE> message code documentation
  • show log messages show the contents of the messages log file
  • show log messages | match ospf filters messages log file and shows everything containing ospf
  • show log messages | match 'ospf|bgp' filters messages log file and shows everything containing ospf or bgp
  • clear log messages delete the contents of messages log file

System log message severity levels:

7 ANY
6 INFO
5 NOTICE
4 WARNINGS
3 ERRORS
2 CRITICAL
1 ALERTS
0 EMERGENCY
- NONE

Tracing (debugging)

configure
set protocols ospf traceoptions file OSPF_SAMPLE size 128K files 10 no-world-readable replace /* the OSPF_SAMPLE file will be saved in /var/log, 128K is default size */
set protocols ospf traceoptions flag error detail
set system tracing destination-override syslog host <x.x.x.x> /* send traces to syslog server instead of saving to file */
commit and-quit

Viewing trace file

  • show log OSPF_SAMPLE
  • clear log OSPF_SAMPLE

Monitoring trace file

  • monitor start OSFP_SAMPLE file contents will be shown on console when file is updated
  • monitor stop OSPF_SAMPLE or press ESC + Q to pause monitor
  • monitor list show currently monitored log files

NOTE: interface tracing is done by the kernel and no trace file can be specified, traces are logged to messages file. Global interface tracing supports archive file but by default is in /var/log/dcd file

NTP configuration

If 2 machines have > 128ms diffs, the clocks are synchronized step by step. If time diff is > 1000s no sync performed

Configuration:

configure
edit system ntp
set boot-server /* set up time from this server during boot */
set server /* set params of the NTP server to get the details from. This device also will act as an NTP server! */
commit and-quit

Verification:

  • set date ntp force force to set date from NTP server
  • set date YYYYMMDDhhmm.ss manually set date
  • show ntp status
  • show ntp associations
  • show system uptime also shows current time

SNMP v2

configure
edit snmp
set name "GW01"
set description "GW01"
set location "Lab 4 Row 11"
set contact "qfabric-admin@qfabric0"
set community public authorization read-only
set community public clients x.x.x.x/yy <restrict> /* authorized or not authorized clients */
set community public clietn-list-name <name> /* Allows to specify a list of authorized clients */
set client-list <name> <ip-address 1>
set client-list <name> <ip-address 2>
commit and-quit

SNMP Traps

[edit snmp]
trap-group MY_TRAPS {
  version v2
  categories {
    chassis
    link
    routing
  }
  targets {
    1.1.1.1
  }
}

show snmp mib walk jnxOpertingDescr show MIB values

Automatic backup

config
edit system
set archival configuration transfer-on-commit
set archival configuration transfer-interval 1440 /* The interval is a period of time ranging from 15 through 2880 minutes */
set archival configuration archive-sites "scp://..."
set archival configuration archive-sites "ftp://..." /* Will be used if first site fails */

Backup log is stored in /var/log/transfer/config file

Interfaces configuration

  • Logical units are always required.
  • Logical unit 0 is the only value allowed on interfaces running HDLC or PPP encapsulations.

Interface naming conventions:

Name Description
ae Aggregated Ethernet interface
at ATM interface
em Management and internal Ethernet interfaces (same as fxp, only one type will be present)
et 100-Gigabit Ethernet interfaces (also could be used for 40-Gigabit Ethernet interfaces)
fe Fast Ethernet interface
fxp Management and internal Ethernet interfaces
ge Gigabit Ethernet interface
gr Generic routing encapsulation (GRE) tunnel interface
lo Loopback interface. The Junos OS automatically configures one loopback interface (lo0).
si Services-inline interface, which is hosted on a Trio-based line card.
so SONET/SDH interface
xe 10-Gigabit Ethernet interface. Some older 10-Gigabit Ethernet interfaces use the ge media type (rather than xe) to identify the physical part of the network device.

Single interface configuration

configure
edit interfaces ge-0/0/1 /* set physical parameters like speed, duplex, etc... under this stanza */
set link-mode full-duplex
set speed 1000
set mtu 1500
set mac <xx:xx:xx:xx:xx:xx>
edit unit 0 /* set logical parameters under this stanza */
set family inet address 192.168.1.100/24 /* multiples addresses per interface can be set */
set family inet address 192.168.1.200/24 preferred /* by default, Junos uses lower adddress when forwaring packtes to locally connected networks */
set family inet address 192.168.1.250/24 primary /* used as source for unicast and multicast packets sourced locally. Also for ip unnumbered. */
rename family inet addresses 192.168.100/24 to addresses 192.168.1.1/24 /* change IP address */
commit and-quit

Configure multiple interfaces

configure
edit interfaces
set interface-range USERS member-range ge-0/0/1 to ge-0/0/3
edit interface-range USERS /* in case of conflict with individual interface config most specific configuration is used */
/* configure as normal interface */
/* ... */

Ethernet loopback test

Ethernet loopback test allows to check whether the physical interface is working correctly. The device sends test packets out of the interface, which are expected to loop over the plug and back to the interface. If the interface fails to receive any test packets, the hardware of the interface is faulty.

Place an interface in loopback mode

interfaces fe-fpc/pic/port fastether-options loopback

To return to the default (disable loopback mode)

delete interfaces fe-fpc/pic/port fastether-options loopback

NOTE: for Gigabit Ethernet interfaces use gigether-options

Link Aggregation (LAG)

Set the number of ae interfaces

[edit chassis]
aggergated-devices {
  ethernet {
    device-count 1; /* number of physical ae interfaces to be created by the system */
  }
}

Edit options of an ae interface

[edit interfaces ae0]
aggregated-ether-options {
  lacp {
    passsive;
  }
}
unit 0 {
  family ethernet-switching {
    port-mode trunk;
    vlan {
      members [ orange purple blue];
    }
  }
}

Bundle interfaces together

[edit interfaces]
ge-0/0/1 {
  gigether-options {
    802.3ad ae0;
  }
}
ge-0/0/2 {
  gigether-options {
    802.3ad ae0;
  }
}

Operational Monitoring and Maintenance

Chassis monitoring commands

  • show chassis alarms
  • show chassis hardware shows all the hardware installed including serial numbers and PICs
  • show chassis hardware clei-models shows line cards with model numbers
  • show chassis fpc 1 shows number of slots(PICs) in board
  • show chassis fpc pic-status 1 shows PIC information of the FPC 1: type, PIC, status, etc..
  • show chassis ethernet switch shows the information about the embedded switch used between RE and line cards
  • show chassis craft-interface craft panel LCD/LEDs statuses
  • show chassis environment shows temperature and status of boards, power supply, line cards, etc...
  • show chassis routing-engine shows the status of the Routing Engine (CPU load, temperature, master/slave, model, serial, etc...)
  • show chassis location
  • show chassis forwarding Display status of the forwarding process (FWDD). SRX devices
  • show chassis cluster

System monitoring commands

  • show system core-dumps
  • show system alarms
  • show system boot-messages displays boot log
  • show system connections same as netstat in Linux
  • show system licesnse
  • show system uptime also shows system clock
  • show system statistics
  • show system users
  • show system process extensive same as top in Linux

Monitoring interfaces

  • show interfaces terse similar to the famous show ip interfaces brief
  • show interfaces ge-0/0/2 terse filter by interface. shows all the attached units
  • show interfaces extensive detailed info about interfaces
  • show interfaces diagnostics optics ge-0/0/0 show info about SFP module
  • monitor interface xe-1/0/0 show interface live statistics
  • monitor interface traffic show traffic on all interfaces
  • monitor traffic interface ge-0/0/0.0 no-resolve tcpdump
  • monitor traffic interface ge-0/0/0.0 no-resolve detail tcpdump
  • monitor traffic interface ge-0/0/0.0 no-resolve write-file MYCAP.pcap tcpdump
  • monitor traffic interface ge-0/0/0.0 matching "host 192.168.1.1" tcpdump with custom filter
  • traceroute monitor x.x.x.x same as mtr in Linux
  • traceroute x.x.x.x transmits UDP packets and waits for ICPM time-exceeded packets
  • mtrace x.x.x.x display trace information about an IP multicast path

Powering on and shutting down Junos devices

  • request system halt gracefully shut down a Junos device. both-routing-engine command is used for routers with redundant Routing Engines. all-members is used to shut down EX Series switches when they are configured in a Virtual Chassis configuration.
  • request system power-off for a standalone chassis (such as MX Series, PTX Series, and T Series routers), the request to power off the system is applicable only to the Routing Engines.
  • request system reboot
  • request chassis routing-engine master switch
  • request chassis fpc slot <x> restart restart line card in slot x

Internal storage cleanup

  • show system storage similar to df -h in Linux
  • request system storage cleanup dry-run shows a list of files that can be deleted
  • request system storage cleanup delete unnecessary files

Junos software naming convention

junos-install-19.2.R1.8-domestic.tgz
    [package]-[release]-[edition]

NOTE: Domestic edition has stronger encryption than export

Junos update from USB

start shell
mkdir /tmp/usb
mount -t msdosfs /dev/da1s1 /tmp/usb
exit
request system software add /tmp/usb/junos-srxsme-17.3R2-S4.1.tgz no-copy

Junos update from a network resourece

file copy ftp://[username:prompt]@[ftp.hostname.net]/[filename] /var/tmp/
request system software add /tmp/usb/junos-srxsme-17.3R2-S4.1.tgz no-copy

Unified ISSU

Unified in-service software upgrade (ISSU) enables you to upgrade between two different Junos releases with minimal disruption on the control plane and with minimal disruption of traffic. It is only available on systems with multiple RE. Graceful Router Engine Switchover (GRES) and Non Stop Active Routing (NSR) must be enabled. Both RE must run same Junos version before doing an upgrade and there is no possibility to switch on/off any PICs during the upgrade.

To perform the upgrade, run the following command on the master RE:

request system software in-service-upgrade

Set root password

configure
set system root-authentication plain-text-password
commit and-quit

NOTE: Password must be at least 6 characters long and have change of case, digits or punctuation.

Reset root password

Using console, during boot, hit space bar for command prompt.

boot -s /* boot in single user mode */
recovery
set system root-authentication plain-text-password
commit and-quit

Disable password recovery

configure
set system ports console insecure /* this will not allow to boot in single user mode */
commit and-quit

Routing

Default Routing Tables:

  • inet.0 IPv4 unicast routes
  • inet.1 Multicast forwarding cache
  • inet.2 Multicast BGP routes for reverse path forwarding (RPF)
  • inet.3 MPLS path info
  • inet.4 Multicast Source Discovery routes (MSDP)
  • inet6.0 IPv6 Unicast routes
  • mpls.0 MPLS next hops

Forwarding table route types (see output of show route forwarding-table):

  • dest Remote address directly reachable through an interface
  • intf Installed as a result of configuring an interface
  • perm Installed by the kernel during routing table initialization
  • user Routes installed by the routing protocol or configuration

Route preference values (lower is better) :

Protocol Preference
Direct 0
Local 0
Static 5
OSPF Internal 10
RIP 100
Aggregate (summary) 130
OSPF AS external 150
BGP (eBGP and iBGP) 170

Static, aggregate and generate routes

Static route can have egress interface name, next hop IP address or discard as next hop.

A qualified next hop is a configurable option for a static route that allows a static route to have multiple next hops. The qualified next hop can have a different preference, which can allow one next hop to be preferred over another. The qualified next hop is referred to as a floating static route because if the primary next hop for the static route is no longer available, the secondary next hop becomes active.

Whereas a static route is active if the next hop is reachable, which in the case of the special discard and reject next hops means that the static route is always active, for aggregate and generated routes their being active depends on the presence of so-called contributing routes. A contributing route is, simply put, a more specific route than the aggregate or generated route (and sharing the same prefix, of course).

The difference between an aggregate and a generated route is that an aggregate route, even when it's active, can only have discard or reject next hops, so it will never forward any traffic; a generated route, on the other hand, can have a real next hop, which is taken from the "preferred" contributing route. The next hop of the contributing route can not be reject or discard.

Configuration example:

configure
edit routing-options 
set static route 0.0.0.0/0 next-hop 10.0.0.1 /* with "no-readvertise" this route will not be used by dynamic routing protocols */
set static route 0.0.0.0/0 qualified-next-hop 172.84.23.2 preference 6 /* floating static route (or just route with custom preference value) */
set static route <x.x.x.x/y> reject /* route to null 0 interface and generate icmp unreachable packet (discard is silent) */
set static route <y.y.y.y/z> resolve /* ask Junos for recursive route resolution */
set aggregate route 10.12.0.0/22 /* Creates an aggregate route with REJECT destination */
commit and-quit

Verification:

  • show route displays inet.0 and inet6.0 routing tables
  • show route instance [<name>] display all routing instances or filter by name
  • show route forwarding-table show the forwarding table (contains only ACTIVE routes)
  • show interfaces terse routing-instance <instance-name> show interfaces of specified routing instance
  • ping <x.x.x.x> routing-instance <instance-name> perform a ping using specified routing instance
  • traceroute <x.x.x.x> routing-instance <instance-name> perform a traceroute using specified routing instance.

ECMP - Equal-cost multipath

By default, ECMP is NOT enabled. If there are multiple routes with same preference and metric values, the router pushes the routing table down to the forwarding table, it randomly selects ONE next-hop. To change that behavior, you can define a forwarding-table export policy that controls what happens when the forwarding table gets built from the routing table.

Consider the following configuration:

routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop [ 1.1.1.1 1.1.1.2 ];
            metric 10;
        }
    }
}

Routing table shows both routes:

lab@router> show route 0.0.0.0/0
...
0.0.0.0/0          *[Static/5] 00:01:28, metric 10
                    > to 1.1.1.1 via ge-0/0/0.0
                      to 1.1.1.2 via ge-0/0/0.0

But the forwarding table shows that only ONE route is selected:

lab@router> show route forwarding-table destination 0.0.0.0/0
...
Destination        Type RtRef Next hop           Type Index NhRef Netif
0.0.0.0/0          user     0 1.1.1.1            ucst   558     3 ge-0/0/0.0

Example of ECMP configuration:

routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop [ 1.1.1.1 1.1.1.2 ];
            metric 10;
        }
    }
    forwarding-table {
        export LOAD-BALANCE;
    }
}
policy-options {
    policy-statement LOAD-BALANCE {
        then {
            load-balance per-packet; /* this will do per-flow load balancing */
        }
    }
}

After configuring ECMP the forwarding table will show ulst as next hop type:

lab@router> show route forwarding-table destination 0.0.0.0/0                    
...
Destination        Type RtRef Next hop           Type Index NhRef Netif
0.0.0.0/0          user     0                    ulst 262142     2
                              1.1.1.1            ucst   558     3 ge-0/0/0.0
                              1.1.1.2            ucst   540     3 ge-0/0/0.0

URPF - Unicast Reverse Path Forwarding

URPF has 2 modes: strict(default) and loose. Strict checks that the source of return route to the packet is via the same interface. RPF checks are performed on the edge routers, in strict mode this functionality it is enabled on all the interfaces.

set interface ge-0/0/0 unit 0 family inet rpf-check enable URPF on interface

[edit]
routing-options {
  forwarding-table {
    unicast-reverse-path feasible-paths; /* Enable this otion to consider all feasible paths (assymetric routing). By default: active-paths */
  }
}
ge-0/0/2 {
  unit 0 {
    family inet {
      rpf-check fail-filter rpf-dhcp; /* if the packet is discarded by RPF, it will go to the 'rpf-dhcp' filter. Also the right place to log the discarded packets by RPF (normal filter will not log them /*
      address <x.x.x.x/y>
    }
  }
}
firewall { /* this filter allows DHCP and BOOTP messages to pass the RPF check */
  family inet {
    filter rpf-dhcp {
      from {
        source-address {
          0.0.0.0/32;
        }
        destination-address {
          255.255.255.255/32;
        }
      }
      then accept;
    }
  }
}

Routing instances

A routing instance is a unique collection of routing tables, interfaces and routing protocol parameters.

Interface Description
forwarding Used to implement filter-based forwarding for common layer applications
l2vpn Used in Layer 2 VPN implementations
no-forwarding Used to separate large networks into smaller administrative entities
virtual-router Used for non-VPN-related applications such as system virtualization
vrf Used in Layer 3 VPN implementations
[edit routing-instances]
CustomInstance {
instance-type virtual-router;
interface fe-1/1/0.0;
interface fe-1/1/1.0;
interface fe-1/1/5.0;
interface ae0.0;
  protocols {
    ospf {
      area 0.0.0.0 {
        interface all;
      }
    }
  }
}

Routing policies

  • By default, OSPF import and export policy accepts all the prefixes but rejects everything outside of OSFP.
  • In OSPF, policy configuration can be done at protocol level only.
  • By default, RIP import policy accepts all and the export policy rejects all (exported prefixes must be specified manually).
  • In RIP, import policy can be applied at protocol and neighbor levels.
  • By default, BGP import policy accepts all and export policy accept active routes.
  • In BGP, policy can apply to neighbor, group or protocol level of config.
  • then statement is optional.
  • Terms are optional in policies.
  • If a term does not contain from statement, all routes will match.
  • Terminating actions: accept and reject.
  • Flow control actions: next term and next policy.
  • If the next term action is specified, if no action is specified, or if the route does not match, the evaluation continues.
  • If there are no more routing policies, then the accept or reject action specified by the default policy is taken.
  • Definition of routing policy is always under [edit policy-options]

OSPF

configure
edit protocols ospf
set area 0 interface ge-0/0/0.0
set area 0 interface ge-0/0/1 /* If the logical interface is not specified, Junos assumes logical unit 0 */
set area 0 interface ge-0/0/2.0 passive /* Do not look for neigbors on this interface but advertice it's IP addresses */
commit and-quit

Inject the static default route into OSPF

set policy-options policy-statement DEFST term MYTERM from protocol static route-filter 0.0.0.0/0 exact
set policy-options policy-statement DEFST term MYTERM then accept
edit protocols ospf
set export DEFST /* Note that DEFST is applied as an export policy */
commit and-quit

Verification:

  • show ospf neighbor [detail|extensive]
  • show ospf interface
  • show ospf database
  • show ospf database advertising-router self show advertised networks (without network mask)
  • show ospf database advertising-router self detail show advertised networks, with mask, type, metric, etc...
  • show ospf route shows where did OSPF learned the routes from and the route types (Extern, Intra, Inter, etc…)
  • show route protocol ospf filter routing table by OSPF

RIP

[edit protocols]
rip {
  group rip-group {
    export advertise-routes-through-rip;
    neighbor fe-1/2/0.1;
  }
}
[edit policy-options]
policy-statement advertise-routes-through-rip {
  term 1 {
    from protocol [ direct rip ];
    then accept;
  }
}

Verification:

  • show route protocol rip show RIP routes installed into the routing table
  • show route advertising-protocol rip 10.0.0.1 show routes advertised by RIP to neighbors
  • show route receive-protocol rip 10.0.0.2 show routes received by RIP neighbors
  • show rip neighbor verify that all RIP-enabled Interfaces are available and active
  • show rip statistics verify that RIP messages are being sent and received on all RIP-enabled interfaces

Firewall

  • In Junos, lo0 interface is used to filter access to the Routing Engine. Packet Forwarding Engine applies the firewall filters before the traffic reaches the control plane.
  • By default, firewall filters are stateless.
  • The default firewall filter action is discard.
  • Actions: accept, discard, reject
  • Action modifiers: count, log, syslog, forwarding-class, loss-priority, etc.. have an implicit accept, the flow control can be changed adding next term action modifier.
  • count action modifier is filter specific. If the filter is applied to another interface, same counter will be used for both interfaces. Use interface-specific to overwrite this behavior.
  • The log action writes log information to a buffer (line card RAM). There is no option for writing logs to a remote server, or for writing them to disk. Once the available buffer is full, new logs will replace the oldest, so a historical record is not kept. Logs are cleared whenever the device or PFE is restarted.
  • Prefix lists can't be used in stateful firewalls!
  • prefix-list-filter can match exact, longer or orlonger
  • route-filter is not reusable but it has more match types than a prefix-list-filter: exact longer, orlonger, upto, prefix-length-range.

Configuration example of filtering SSH access to the routing engine:

[edit policy-options]
prefix-list trusted {
  172.27.102.0/24;
}
[edit firewall fiter family inet]
filter limit-ssh-access {
  term ssh-accept {
    from {
      source-prefix-list {
        trusted;
      }
      protocol tcp;
      destination-port ssh;
    }
    then accept;
  }
  term ssh-reject {
    from {
      protocol tcp;
      destination-port ssh;
    }
    then {
      discard;
    }
  }
  term else-accept {
    then accept;
  }
}
[edit interfaces]
lo0 {
  unit 0 {
    family inet {
      filter {
        input limit-ssh-access;
      }
      address x.x.x.x/32
    }
  }
}

Another configuration example using counters:

[edit firewall family inet filter output-ff]
term deny-spoofed {
  from {
    source-address { /* Exclude specific range */
      0.0.0.0/0;
      172.27.102.0/24 except;
    }   
  }
  then {
    log;
    discard;
  }
}
term else-accept {
  then {
    count outbound-accepted;
    accept;
  }
}

Verification:

  • show firewall log show log of filtered packets
  • show firewall counter filter filtername countername show counter statistics
  • clear firewall filter filtername [counter counter] clear firewall counter

SRX security section

By default, SRX devices work in flow mode by which security policies are in place and unless otherwise allowed, packets are dropped (it works as a firewall device). If you want to configure SRX as a router only device, you should change from flow mode to packet mode as below:

edit security
set forwarding-options family [inet|inet6] mode packet-based
commit and-quit
request system reboot

NOTE: For this config to commit properly, security policies must be deactivated or removed.

Verification:

  • show security flow status

Policing

  • By default, a policer operates in term-specific mode so that, for a given firewall filter, the Junos creates a separate policer instance for every filter term that references the policer. As an option, you can configure a policer to operate in filter-specific mode so that a single policer instance is used by all terms (within the same firewall filter) that reference the policer.
  • By default, policers employ token-bucket algorithm.
  • To calculate the burst size (best practice), multiply the interface speed (bits per sec) by the desired burst size (in seconds) and divide by 8 to convert it to bytes.
  • The actions inside of the policer are ONLY applied if traffic matches the conditions, otherwise, the actions from the firewall filter will be applied.

Simple policer configuration example:

[edit firewall policer P1]
if-exceeding {
  bandwidth-limit 64k; /* in bits (from 30,520 bps to 4.29Gbps) */
  burst-size-limit 4k; /* in bytes (min is 10 times MTU or bandwidth times 3-5ms) */
}
then discard;

CoS - Class of Service

CoS rules must be configured on ALL the network devices consistently, so traffic is treated the same way along the network path.

Classifiers

  • Default forwarding classes: Best effort (BE), Expedited forwarding (EF), Assured forwarding (AF), Network Control (NC). Best effort is used by default - first in, first out.
  • Behavior Aggregate (BA) classifier - set forwarding class and loss priority using header values (DSCP, IP Precedence, MPLS EXP and IEEE 802.1p). Inbound edge devices should SET this fields and the rest of the internal routers should trust this marks.
    • If the In-the-Box model is used, this classifier does not make sense and multifield classifier is used.
    • If the Across-the-Network model is used, the edge device marks the packets with BA and next devices performs CoS based on those values (trust the CoS marks). NO need to use multifield classifier.
  • Multifield classifier - allows to set class and loss priority using firewall filters (used to classify by multiple fields of a packet)
  • Forwarding Policy options - allows to implement CoS-based forwarding. Balance packets between multiple equal-cost paths or set class and loss priority for prefixes.
  • By default, Junos does not modify L3 headers (it possible to do so), but the L2 layer CoS fields must be re-written. IP Precedence and DSCP can not be rewritten at the same time for the same packet because they share common bits.

Default queue to forwarding class associations:

Queue Forwarding class Note
Queue 0 Best Effort 95% of traffic goes here
Queue 1 Expedited Forwarding Must be configured manually
Queue 2 Assured Forwarding Must be configured manually
Queue 3 Network control 5% of traffic goes here

BA classifier configuration examples:

Rewrite the CoS markers (at the inbound edge of the network):

[edit class-of-service]
interfaces {
  ge-0/0/3 {
    unit 0 {
      rewrite-rules { /* rewrite packet's BA markers */
        inet-precedence default;
      }
    }
  }
}

Trust the CoS marks and classify traffic accordingly (applied on the routers inside the network)

[edit class-of-service]
interfaces {
  ge-0/0/3 {
    unit 0 {
      classifiers { # read BA makrers and classify traffic accordingly 
        inet-precedence default;
      }
    }
  }
}

Multifield classifier configuration example:

[edit firewall family inet filter apply-cos-markings]
term admin {
  from {
    source-address {
      x.x.x.x/y
    }
  }
  then {
    forwarding-class expedited-forwarding;
    accept;
  }
}
term all-other-traffic {
  then accept;
}

[edit interfaces ge-0/0/1]
unit 0 {
  family inet {
    filter {
      input apply-cos-markings
    }
    address x.x.x.x/y;
  }
}

Example of classifying traffic using policers:

firewall {
  policer admin-traffic-policer {
    if-exceeding {
      bandwidth-limit 1m;
      burst-size-limit 3k;
    }
    then forwarding-class best-effort; /* if traffic is exceeding the limits, this class is applied */
  }
  family inet {
    filter apply-cos-markings {
      term admin {
        from {
          source-address {
            x.x.x.x/y
          }
        }
        then {
          policer admin-traffic-policer;
          forwarding-class expedited-forwarding; /* if traffic is NOT exceeding policer limits then this class is applied */
          accept;
        }
      }
      term all-other-traffic {
        then accept;
      }
    }
  }
}

Scheduler and scheduler maps

A scheduler contains parameters about how to service a queue. A scheduler is associated with a queue and forwarding class through a scheduler map. Schedulers work in a WRR (Weighted Round Robbin) format. Custom WRED drop profiles are applied in the schedulers.

Scheduler configuration example:

[edit class-of-service schedulers]
sched-BE {
  transmit-rate percent 40; /* adding 'exact' will disallow using any other available bandwidth */
  buffer-size percent 40; /* Same transmit rate and buffer-size percent performs well in many cases */
  priority low;
} /* Custom drop profile not defined, default one works fine in many cases */

Scheduler map configuration example

[edit class-of-service scheduler-maps]
sched-map-example {
  forwarding-class best-effort scheduler sched-BE;
  forwarding-class expedited-forwarding scheduler sched-EF;
  forwarding-class assured-forwarding scheduler sched-AF;
  forwarding-class network-control scheduler sched-NC;
} /* in this case 4 scheduleras are associated with default forwarding classes (queues) */

Example of how to assign scheduler map to interface:

[edit class-of-service interface]
fe-* { /* assign a scheduler map to all the interfaces matching this expression */
  scheduler-map sched-map-example;
}
ge-0/0/0 {
  scheduler-map sched-map-example;
}

Verification:

  • show class-of-service interface <interface> display the logical and physical interface associations for the classifier, rewrite rules, and scheduler map objects
  • show class-of-service classifier name <name> for each class-of-service classifier, display the mapping of code point value to forwarding class and loss priority
  • show interfaces <interface> detail | find "Egress queues" show egress queue statistics
  • show interface queue ge-0/0/3 show egress queue statistics

Outbound interfaces queues

Outbound packets are placed in queues and scheduler defines how the interface should process each queue. If the queues are full, the traffic will be dropped until there will be enough space in the queues (tail drop). RED algorithm avoids tail drops by deleting some packets (statistically), helps to avoid global TCP synchronization.

Forwarding classes configuration example. Create and assign forwarding classes to queues.

[edit class-of-service]
set forwarding-classes queue 0 general-traffic
set forwarding-classes queue 1 important-traffic
set forwarding-classes queue 2 critical-traffic

On most Junos platforms, default forwarding class name are associated with queues 0-3. The previous example overrides that association. BA classifiers and rewrite rules map traffic to and from queues (regardless of the forwarding class name). All other CoS rules reference forwarding class names, rather than queues.

Verification:

  • show class-of-service forwarding-class show the association between forwarding classes and the queues

IPv6

  • 128 bit IP address in eight 16-bit hexadecimal blocks separated by colon.
  • Does not support NAT.
  • Hosts can use stateless address configuration (SLAAC). Small networks with single subnet.
  • IPsec support is necessary
  • Improved support for options using extension headers. This simplifies the header format.

IPv4 packet vs IPv6 packet

IPv6 packet structure:

+-------------+-------------------+---------------------------------+
| Version (4) | Traffic Class (8) |        Flow Label (20)          |
+-------------+-------------------+---------------------------------+
|       Payload Length (16)       | Next Header (8) | Hop limit (8) |
+---------------------------------+---------------------------------+
|                         Source Address (128)                      |
+-------------------------------------------------------------------+
|                       Destination Address (128)                   |
+-------------------------------------------------------------------+
  • IPv6 packet has a fixed length of 40bytes while IPv4 has a variable header length
  • Both, IPv4 and IPv6 packets, have Version, Source Address and Destination Addresses fields.
  • In IPv6 packets, Header Length, Identification, Flags, Fragment Offset and Header Checksum fields were removed.
  • In IPv6 packets, TOS field was renamed to Traffic Class.
  • In IPv6 packets, Time To Live field was renamed to Hop Limit.

The IPv6 header and extensions headers_ replace the existing IPv4 IP header with options. There are 6 Extensions Headers:

  • Hop-by-Hop options - Options to examine by each node along the path
  • Routing - list of intermediate nodes that should be visited on the path to dst
  • Fragment - signals when a packet has been fragmented by the source. Fragmentation is ALWAYS performed by the source host, using max path MTU discovery mechanism.
  • Destination Options - options examined by destination only (can appear twice in a packet)
  • Authentication Header - Used with IPsec to verify packet authenticity
  • Encrypted Security Payload - Used with IPsec and carries encrypted data

IPv6 Addresses

Examples of FRC 4291 prefixes:

  • ::/128 - Unspecified.
  • ::1/128 - Loopback.
  • FF00::/8 - Multicast. Support 16 different types of scope.
  • FE80::/10 - Link local addresses are used for neighbor discovery, autoconfiguration and routing protocol traffic. Used within same routing domain. Automatically generated on all interfaces.
  • FEC0::/10 - Site Local addresses, routable inside a limited area. Can be used as private IPV6 addresses. Have a high probability of global uniqueness.

Recommended prefix lengths (RFC3177)

  • Use prefix length /48 for home networks and enterprises
  • Use prefix length /47 or multiple /48 for very large subscribers
  • Use prefix length /64 when it is known that one and only one subnet is needed by design.
  • Use prefix length /128 for loopback addresses and end devices

Point to point links Use prefix length /127 on inter-router point-to-point links links (RFC6164) but /64, /124 and /126 have been used for this purpose.

Special addresses:

  • ::/16 is reserved for special addressing
  • ::1 is a loopback address
  • :: in IPv6 is like 0.0.0.0 in IPv4

Global Unicast Address

<------Public topology------><-Site-><----Interface identifier---->
+----+-----------------------+-------+----------------------------+
| FP | Global Routing Prefix |  SID  |        Interface ID        |
+-3b-+--------45b------------+--16b--+-----------64b--------------+

FP - Format Prefix. Binary prefix 001 (2000::/3) identifies the aggregable global unicast space.

Global Routing Prefix - Reserved for hierarchical allocation. Provide higher level of summarization.

SID - Subnet Identifier. Reserved for local assignment to a link. Provides subnetting capability within a site.

Interface ID - Reserved for interface ID allowing for easy autoconfiguration of a host on a network using IEEE EUI64: MAC Address(48bits) with 0xFFFE in the middle.

Stateless autoconfiguration: Host sends RS (Router Solicitation) message to discover the presence of on-link routers. When a router receives RS request from a host, it responds with an RA(Router Advertisement) message which contains prefix list entries that can be used to perform address autoconfiguration. RA messages are also sent periodically by the routers.

Neighbor discovery tracks the reachability status (and link-layer address) of neighbors on a local link. The device is considered reachable when there is a recent confirmation of a response to NS (Neighbor Solicitation message). Otherwise it is considered unreachable. IPv6 routers can send information of neighbors to downstream nodes. ND is optional on IPv6 devices.

Multicast Address

Multicast addresses are identified by the high order byte FF (1111 1111b)

+-----------+-------+-------+----------+
|   8bits   | 4bits | 4bits | 112 bits |
+-----------+-------+-------+----------+
| 1111 1111 | Flags | Scope | Group ID |
+-----------+-------+-------+----------+

Type of multicast addresses (RFC4291)

  • Solicited-Node Multicast Addresses for NS (Neighbor Solicitation) messages
  • All-Nodes Multicast Addresses for RA (Router Advertisement) messages
  • All-Routers Multicast Addresses for RS (Router Solicitation) messages

Anycast Address (RFC2526)

IPv6 defines a new type of address, known as an "anycast" address, that allows a packet to be routed to one of a number of different nodes all responding to the same address. The anycast address may be assigned to one or more network interfaces (typically on different nodes), with the network delivering each packet addressed to this address to the "nearest" interface based on the notion of "distance" determined by the routing protocols in use. It also can be used to force routing through a specific ISP.

IPv6 configuration and verification

Enable IPv6 on an interface:

edit interfaces ge-0/0/0 unit 0 
set familiy inet6 /* this enables IPv6 processing on an interface and creates link-local address */
set familiy inet6 address 2001:db8:0:5::/64 eui-64 /* Set an IP address atumatically using EUI64 */

Static route configuration:

set rib inet6.0 static route 0::/0 next-hop 3001::1
set rib inet6.0 static route 0::/0 qualified-next-hop fe80::1 interface ge-0/0/0 /* If next hop is link-local address, an outgoing interface must be specified because link-local are not globally unique! */

Verification:

  • show route table inet6 show all the IPv6 routes
  • show route table inet6.0 protocol static show IPv6 static routes
  • show ipv6 neighbors list of neighbors with IPv6 addresses and link-local addresses

IPv6 and IPv4 protocols differences:

In IPv6, OSPFv3 (RFC5340) has graceful restart (RFC5781) and authentication/confidentiality (RFC4552) to provide security. The router id is the same as in IPv4 and the protocol configuration is done under [protocols ospf3] stanza.

For protocols such as BGP or IS-IS, everything remains the same, except the neighbor addresses.

Tunneling IPv6 traffic over IPv4 Networks

Transition from IPv4 to IPv6 by using tunnels to span IPv4 networks until all the intermediate routers have been upgraded to support IPv6.

There are few approaches:

  • IPv4 compatible addressing
  • Configured tunnels
  • 6to4
  • 6over4

The IPv6 tunneling process consists of the following steps:

  • 1 - Encapsulation of the IPv6 packet within an IPv4 header
  • 2 - Forwarding of the new IPv4 packet
  • 3 - Removal of the IPv4 header
  • 4 - Processing or forwarding of the IPv6 packet

Configuration example using GRE tunnel

Topology:

+------+ ::2      ::1 +------+              +------+ ::1      ::2 +------+
|USER A|--------------|  R1  |--------------|  R2  |--------------|USER B|
+------+    Site A    +------+   Internet   +------+    Site B    +------+
      fc00:0:0:2000::/64                          fc00:0:0:2001::/64

R1 Tunnel Interface configuration:

[edit interfaces gr-0/0/0]
unit 0 {
  tunnel {
    source 192.168.1.1;
    destination 192.168.2.1;
  }
  family inet6 {
    address fc00:0:0:1000::1/126;
  }
}

R2 Tunnel Interface configuration:

[edit interfaces gr-0/0/0]
unit 0 {
  tunnel {
    source 192.168.2.1;
    destination 192.168.1.1;
  }
  family inet6 {
    address fc00:0:0:1000::2/126;
  }
}

R1 Route configuration:

[edit routing options]
rib inet6.0 {
  static {
    route fc00:0:0:2001::/64 next-hop gr-0/0/0.0;
  }
}
static {
  route 192.168.2.1/32 next hop 172.18.1.1;
}

R2 Route configuration:

[edit routing options]
rib inet6.0 {
  static {
    route fc00:0:0:2000::/64 next-hop gr-0/0/0.0;
  }
}
static {
  route 192.168.1.1/32 next hop 172.18.2.1;
}

Verification:

  • show interfaces gr-0/0/0 terse verify that tunnel interface is up on both routers
  • show route 192.168.2.1 verify that the required routes are installed on both routers
  • show route table inet6.0 fc00:0:0:2001::/64 verify that the required routes are installed on both routers
  • ping fc00:0:0:2001::2 source fc00:0:0:2001:1 rapid count 25 verify the connectivity
  • show interfaces gr-0/0/0.0 detail | find "traffic statistics" verify tunnel usage statistics

NOTE: GRE tunnels are stateless.

JTAC

YOU MUST HAVE A VALID SERVICE CONTRACT!

  • show chassis hardware get chassis serial number to provide it to a JTAC support
  • request support information provides additional information for JTAC
  • Every case has a priority (1 - Critical, 2 - High, 3 - Medium, 4 - Low)
  • It is possible to escalate the case manually or calling JTAC
  • Juniper has KB (Knowledge Base) - repository of useful information (documents, troubleshooting, technology notes, etc..)
  • KB also has VPN Configuration Tool, SRX HA Configuration Tool and IOS to Junos Translator (The IOS-to-Junos conversion tool is no longer available)
  • PR - Problem Report
  • If you need to submit a file larger than 10M (i.e.: core file), then, you need to transfer it to sftp.juniper.net to /pub/incoming folder with case ID.

Example of uploading a file to Juniper's FTP server:

sftp anonymous@sftp.juniper.net
sftp> lcd /var/tmp
sftp> cd /pub/incoming
sftp> mkdir xxx-xxx-xxx
sftp> cd xxx-xxx-xxx
sftp> mput large-file.tgz
sftp> bye

Security concepts

Juniper's viewpoint on security can be grouped into three different categories:

  • Operation efficiency - centralized management and control
  • Security efficacy - advanced security services, thread intelligence and fine-grained policy controls
  • Business agility - scalability of deployment

5 Focus points for implementing secure network:

  • Performance - How the network will perform across wide range of user cases
  • Efficacy - How to measure the ability of identify and mitigate threats (protection quality)
  • Scalability - How the network will scale as traffic increases
  • Automation - How programmable the solution will be
  • Centralized control - How to control the solution from a single location

Juniper SRX can track apps and block the risky ones (allowing user-tailored policies). It can prioritize important apps and define packet forwarding rules. Also offers SSL packet inspection and IPS services.

UTM - Unified Thread Management

  • Sophos antivirus - in-the-cloud antivirus with small footprint
  • Antispam filtering - e-mail filter (separate licensing)
  • Web filtering
    • Enhanced Web filtering—The enhanced Web filtering solution intercepts the HTTP and the HTTPS requests and sends the HTTP URL or the HTTPS source IP to the Websense ThreatSeeker Cloud (TSC). The TSC categorizes the URL into one of the categories that are predefined and also provides site reputation information. The TSC further returns the URL category and the site reputation information to the device. The device determines if it can permit or block the request based on the information provided by the TSC.
    • Redirect Web filtering—The redirect Web filtering solution intercepts HTTP and HTTPS requests and sends them to an external URL filtering server, provided by Websense, to determine whether to block the requests. Redirect Web filtering does not require a license.
    • Local Web filtering—The local Web filtering solution intercepts every HTTP request and the HTTPS request in a TCP connection. In this case, the decision making is done on the device after it looks up a URL to determine if it is in the allow list or blocklist based on its user-defined category. Local Web filtering does not require a license or a remote category server.
    • Content filter - blocks or permits certain types of traffic based on MIME, extension, protocol and object type. Dos not require separate license.
  • Sky ATP - Advanced Thread Prevention. Key component of Juniper Connected Security. Advanced, cloud based malware protection using machine learning.
@FlorianHeigl
Copy link

FlorianHeigl commented Jan 13, 2021

Thank you!

@tshikica
Copy link

tshikica commented Nov 17, 2021

Thank you 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment