Discussion

More documents

Recommendations

Info

Chapter CHAPTER 3 3 IPSec 3 3.0 Introduction IP Security (IPSec) is a protocol suite developed in the late 1990s that provides security services for Layer 3 IP datagrams, which otherwise have no inherent security. It is defined in RFCs 2401 through 2412. IPSec is optional for IPv4 and mandatory for IPv6. Because it operates at Layer 3, IPSec provides security for higher-level traffic, including TCP and UDP. The IPSec suite defines the security protocols, the algorithms used to provide security, and the cryptographic keys required to provide the services. Traffic protection is provided by two security protocols, Authentication Header (AH) and Encapsulation Security Payload (ESP). AH provides connectionless integrity and data origin authentication for IP packets, authenticating the complete packet, including the IP header, except for IP header fields that change in transit. It also provides protection against replay attacks, a type of network attack in which valid data is maliciously transmitted repeatedly. ESP offers encryption to provide data confidentiality, and it authenticates the packet payload and the ESP header itself, but not the outer IP header. In the JUNOS software, you can configure either AH or ESP, or a combination of the two. IPSec authentication algorithms use a shared key to verify the identity of the sending IPSec device. The protocol suite defines two algorithms, MD5 and SHA1. MD5 uses a one-way hash function to convert messages to a 128-bit digest. The calculated digest is compared with one that has been decrypted with a shared key, and if the two match, the IPSec device is authenticated. SHA1 is a stronger algorithm, producing a 160-bit digest. The JUNOS software implements the HMAC version of both these algorithms, and they are available for the AH and ESP protocols and for the Internet Key Exchange (IKE) protocol, which establishes and maintains SAs and exchanges the authentication and encryption keys between IPSec devices. 106 This is the Title of the Book, eMatter Edition Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved.
Encryption, which is the encoding of packet data, is also done with algorithms that create and verify shared keys. The JUNOS software implements DES and Triple-DES for encryption, both with cipher block chaining (CBC). DES-CBC uses a 64-bit key for encryption (56 bits for encryption and 8 bits for error checking), and the stronger 3DES-CBC uses three times the number of bits (168 bits) for encryption. To identify the traffic to protect, IPSec creates security associations (SAs) to negotiate the desired security services. Each SA, which is identified by a security parameter index (SPI), defines preferences for authentication, encryption, and security protocol. SAs can be either unidirectional or bidirectional and are created either manually or dynamically. For manual SAs, you configure matching preset shared keys for authentication and encryption, security protocols, and fixed SPI values on both ends of the IPSec connection. Dynamic SAs are negotiated by IKE, but you can configure recommended suggestions for all IPSec parameters. As a result of the negotiation with the peer, an SA pair is set up, one inbound and one outbound. The inbound half of the SA pair de-encrypts and authenticates the incoming traffic from the IPSec peer, and the outbound half encrypts and authenticates the outbound traffic going to the peer. IPSec SAs operate in one of two modes, tunnel mode or transport mode. A tunnel mode SA is essentially an IP tunnel between two security gateways, which are routers or other devices protecting the networks behind them. One common way to use tunnel mode is to send secure traffic between two sites on an intranet (that is, within a corporate network). The router at each end of the tunnel acts as a security gateway. Any data transferred between the two sites is protected as it traverses the tunnel between the security gateways. Transport mode provides security between two hosts, protecting traffic (such as OSPF and BGP traffic) that is destined for the router itself. For a tunnel mode SA, an IP header specifies the IPsec processing destination and an inner IP header specifies the packet’s ultimate destination. The security protocol header is placed between the outer and inner headers. If the protocol is AH, portions of the outer IP header and the entire tunneled IP packet (the inner IP header and the higher-layer protocols) are protected. With ESP, only the tunneled packet is protected, not the outer header. To use IPSec with M-series and T-series routers, the router must have either an ES PIC or an Adaptive Services (AS) PIC. The configuration for these two PICs differs slightly. The J-series routers also run IPSec but require no additional hardware because they have built-in AS functionality. In this chapter, we show how to configure IPSec with both PICs. This is the Title of the Book, eMatter Edition Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved. Introduction | 107
Page 3 and 4:
JUNOS Cookbook
Page 5 and 6:
JUNOS Cookbook Aviva Garrett Beijin
Page 7 and 8:
Table of Contents Foreword . . . .
Page 9 and 10:
3. IPSec . . . . . . . . . . . . .
Page 11 and 12:
8.5 Creating Static Routes 263 8.6
Page 13 and 14:
13.5 Adjusting Local Preference Val
Page 15 and 16:
Foreword The early days at Juniper
Page 17 and 18:
Throughout 1997 and early 1998, all
Page 19 and 20:
Preface1 Over the past decade, netw
Page 21 and 22:
Organization As the name suggests,
Page 23 and 24:
Constant width Used for code sectio
Page 25 and 26:
Chapter 1 CHAPTER 1 Router Configur
Page 27 and 28:
You can use a number of operational
Page 29 and 30:
The show command displays the items
Page 31 and 32:
Each listed completion is the confi
Page 33 and 34:
command on the left side of the pip
Page 35 and 36:
The > tells you that you are in ope
Page 37 and 38:
} } } root@# commit root@router1# e
Page 39 and 40:
For the initial router configuratio
Page 41 and 42:
At this point in configuring the ro
Page 43 and 44:
1.4 Displaying the Commands to Recr
Page 45 and 46:
Discussion It is generally good pra
Page 47 and 48:
is often the first thing to check w
Page 49 and 50:
In this example, the error is in th
Page 51 and 52:
To track down what changed in the c
Page 53 and 54:
Solution Use the following command
Page 55 and 56:
login { class superuser-local { per
Page 57 and 58:
If PIM is not yet configured, merge
Page 59 and 60:
You can also save it to a file in y
Page 61 and 62:
These files are also compressed. av
Page 63 and 64:
You see that the running configurat
Page 65 and 66:
Solution The rollback configuration
Page 67 and 68:
See Also Recipe 1.17 1.19 Backing U
Page 69 and 70:
ad1 11513 MB IBM-DARA-212000 AH0AHG
Page 71 and 72:
J-series filesystems on a device co
Page 73 and 74:
1.22 Installing a Different Softwar
Page 75 and 76:
Use the request system software add
Page 77 and 78:
support site (http://www.juniper.ne
Page 79 and 80: JUNOS 7.0 was released in the fourt
Page 81 and 82: Some of the main processes are MGD,
Page 83 and 84: switching board (the SSB), and two
Page 85 and 86: 1.28 Gathering Information Before C
Page 87 and 88: The apply-groups statement causes t
Page 89 and 90: } } } address 10.0.16.1/24; Finally
Page 91 and 92: The commit synchronize command comm
Page 93 and 94: modules/ packages/ proc/ root/ sbin
Page 95 and 96: At this point, you can also upgrade
Page 97 and 98: lets them gain access to the router
Page 99 and 100: client/server systems—the RADIUS
Page 101 and 102: You need to enable FTP only if you
Page 103 and 104: use of the root account. Logging in
Page 105 and 106: A slight twist to this recipe is to
Page 107 and 108: Also, you will not be able to commi
Page 109 and 110: Solution Set all plain-text passwor
Page 111 and 112: Discussion When you want users to b
Page 113 and 114: individual user accounts with passw
Page 115 and 116: ead-only Can perform all actions in
Page 117 and 118: If you try to enter a command that
Page 119 and 120: aviva@router1# set class operator-p
Page 121 and 122: If you use a centralized server, it
Page 123 and 124: aviva@RouterF# set term ssh-telnet
Page 125 and 126: statement in the configuration, whi
Page 127 and 128: een idle, and what they are doing.
Page 129: Mike would be logged out: mike@rout
Page 133 and 134: networks, it does not scale well. A
Page 135 and 136: } } [edit interfaces] es-3/0/0 { #
Page 137 and 138: have to set up an IKE SA and a fire
Page 139 and 140: Here’s what the relevant portions
Page 141 and 142: Finally, configure the domain’s I
Page 143 and 144: Configure the security gateway rout
Page 145 and 146: [edit protocols ospf area 0.0.0.0]
Page 147 and 148: Then, configure the IPSec tunnel to
Page 149 and 150: Issuer: Organization: mycompany, Co
Page 151 and 152: Alternate subject: RouterB.mycompan
Page 153 and 154: Chapter 4 CHAPTER 4 SNMP4 4.0 Intro
Page 155 and 156: juniperMIB, which is the top node o
Page 157 and 158: Juniper Networks provides several d
Page 159 and 160: 4.2 Setting Router Information for
Page 161 and 162: Table 4-1. SNMP trap categories Key
Page 163 and 164: Solution You can add a term to the
Page 165 and 166: You might want to give access to al
Page 167 and 168: aviva@router1> show snmp mib get "j
Page 169 and 170: 4.9 Collecting Router Operational I
Page 171 and 172: CPU utilization: User 0 percent Bac
Page 173 and 174: Table 4-2. System logging severity
Page 175 and 176: Discussion RMON is an SNMP specific
Page 177 and 178: See Also RFC 2819, Remote Network M
Page 179 and 180: nms1 sha/3des nonvolatile active Gr
Page 181 and 182:
Again, this recipe is somewhat invo
Page 183 and 184:
Finally, configure which traps the
Page 185 and 186:
} notify chassis-notification-list
Page 187 and 188:
Some are the same as those used by
Page 189 and 190:
Solution Use the following commands
Page 191 and 192:
5.2 Limiting the Messages Collected
Page 193 and 194:
Discussion The default maximum size
Page 195 and 196:
no longer need. Here, we logged RIP
Page 197 and 198:
Discussion This configuration redir
Page 199 and 200:
This command causes all messages se
Page 201 and 202:
Apr 29 22:55:16 router xntpd[4977]:
Page 203 and 204:
The traceoption flags indicate the
Page 205 and 206:
Chapter 6 CHAPTER 6 NTP6 6.0 Introd
Page 207 and 208:
6.2 Setting the Time Zone Problem Y
Page 209 and 210:
Engine boots, the ntpdate utility r
Page 211 and 212:
You can also have all the routers s
Page 213 and 214:
6.6 Checking NTP Status Problem You
Page 215 and 216:
Chapter 7 CHAPTER 7 Router Interfac
Page 217 and 218:
under the name of the interface and
Page 219 and 220:
Solution Use the show interfaces co
Page 221 and 222:
the physical interface. It allows y
Page 223 and 224:
Solution The show interfaces extens
Page 225 and 226:
Broadcast packets 0 [0] Multicast p
Page 227 and 228:
Input packets : 5 Output packets: 5
Page 229 and 230:
1.0.12.2/30 so-1/0/0 Mars 1.0.0.1/3
Page 231 and 232:
To remove an extra IP address, use
Page 233 and 234:
Discussion For MPLS traffic to tran
Page 235 and 236:
Flags: None Addresses, Flags: Is-Pr
Page 237 and 238:
Solution Configure the router’s m
Page 239 and 240:
On an M-series or a T-series router
Page 241 and 242:
You can confirm the presence of the
Page 243 and 244:
Protocol inet6, MTU: 1500 Flags: Is
Page 245 and 246:
Solution Use the Virtual Router Red
Page 247 and 248:
Solution There are three steps to s
Page 249 and 250:
7.16 Configuring T1 Interfaces Prob
Page 251 and 252:
Run the loopback test, which sends
Page 253 and 254:
7.18 Setting Up a BERT Test on a T1
Page 255 and 256:
You can configure an error rate to
Page 257 and 258:
Discussion Synchronous Optical Netw
Page 259 and 260:
SEF 22 182 OK LOS 22 1 OK LOF 22 1
Page 261 and 262:
Use the show aps command to check t
Page 263 and 264:
type of ATM PIC, the configuration
Page 265 and 266:
gre up ipip up lo0 up up lo0.0 up u
Page 267 and 268:
Solution Add the new interface to t
Page 269 and 270:
While this does what you want, it m
Page 271 and 272:
When a single routing protocol prov
Page 273 and 274:
IPv6 uses 128-bit addresses that co
Page 275 and 276:
8.1 Viewing the Routes in the Routi
Page 277 and 278:
oute is learned from a dynamic rout
Page 279 and 280:
} } family iso { address 49.0020.19
Page 281 and 282:
8.2 Viewing Routes to a Particular
Page 283 and 284:
8.3 Viewing Routes Learned from a S
Page 285 and 286:
ff00::/8 perm 0 mdsc 53 1 ff02::1/1
Page 287 and 288:
The actual forwarding tables that t
Page 289 and 290:
and the traffic to these networks i
Page 291 and 292:
Attacker A B Target Real source add
Page 293 and 294:
Check the firewall filter counts wi
Page 295 and 296:
Solution Create a routing policy th
Page 297 and 298:
Discussion Martian addresses are pr
Page 299 and 300:
Solution After configuring both OSP
Page 301 and 302:
To verify the preference change, lo
Page 303 and 304:
Peer supports Refresh capability (2
Page 305 and 306:
This recipe shows how to enable gra
Page 307 and 308:
Because the policy and filter condi
Page 309 and 310:
then accept; } } } protocols { ospf
Page 311 and 312:
The first command in the recipe def
Page 313 and 314:
[edit] aviva@router1# set protocols
Page 315 and 316:
Table 9-4. Actions that change rout
Page 317 and 318:
(called longest-match lookup), so t
Page 319 and 320:
aviva@router1# set term 2 then reje
Page 321 and 322:
See Also IANA, http://www.iana.org/
Page 323 and 324:
the community string from the route
Page 325 and 326:
used to verify that the router is m
Page 327 and 328:
} } Discussion } } Placing firewall
Page 329 and 330:
Table 9-5. Header match conditions
Page 331 and 332:
counterintuitive. However, understa
Page 333 and 334:
protocol-except tcp; } then { count
Page 335 and 336:
protocol tcp; destination-port [ te
Page 337 and 338:
Firewall filter terms are evaluated
Page 339 and 340:
9.12 Using a Firewall Filter to Cou
Page 341 and 342:
04:58:41 pfe A t1-0/0/3.0 TCP 10.0.
Page 343 and 344:
which traffic is more important and
Page 345 and 346:
The next term allows TCP traffic: [
Page 347 and 348:
Routing Engine, you want to make su
Page 349 and 350:
from { source-address { 10.0.8.0/24
Page 351 and 352:
9.16 Rate-Limiting Traffic Flow to
Page 353 and 354:
list of IP addresses in one place i
Page 355 and 356:
lished TCP connections and you sudd
Page 357 and 358:
By default, the JUNOS software impl
Page 359 and 360:
} } } neighbor fe-0/0/0.0; neighbor
Page 361 and 362:
10.0.0.0/24 *[Direct/0] 2w4d 23:05:
Page 363 and 364:
The routing policy you set up is a
Page 365 and 366:
so the inbound metrics are 1. The m
Page 367 and 368:
can use it in the authentication-ke
Page 369 and 370:
10.6 Sending Version 1 Update Messa
Page 371 and 372:
Mar 31 10:11:13 Group beta-rip-grou
Page 373 and 374:
Chapter 11 CHAPTER 11 IS-IS11 11.0
Page 375 and 376:
oundary. This means that the IS-IS
Page 377 and 378:
might be useful when migrating two
Page 379 and 380:
Interface System L State Hold (secs
Page 381 and 382:
RouterA.02-00 0x59 0xeda9 632 L1 L2
Page 383 and 384:
The next four lines show the IP pre
Page 385 and 386:
configuring the preference statemen
Page 387 and 388:
11.5 Configuring a Level 1-Only Rou
Page 389 and 390:
11.6 Controlling DIS Election Probl
Page 391 and 392:
key, or password, for each interfac
Page 393 and 394:
} } from protocol static; then acce
Page 395 and 396:
Again, we expect the metric to chan
Page 397 and 398:
RouterA Level 2 RouterB Level 2 Rou
Page 399 and 400:
Increasing the IS-IS cost of Router
Page 401 and 402:
11.12 Moving IS-IS Traffic off a Ro
Page 403 and 404:
11.14 Tracing IS-IS Protocol Traffi
Page 405 and 406:
Using some of the other flags, you
Page 407 and 408:
OSPF views routers as nodes, which
Page 409 and 410:
Area 0.0.0.0 RouterG lo0:192.168.19
Page 411 and 412:
Another common problem in establish
Page 413 and 414:
The route entries starting with [OS
Page 415 and 416:
entries that originated from the lo
Page 417 and 418:
OSPF network. Route 192.168.18.1:0.
Page 419 and 420:
Checking on RouterA at the other en
Page 421 and 422:
192.168.19.1/32 *[Direct/0] 3d 01:5
Page 423 and 424:
The routers in the stub area no lon
Page 425 and 426:
Router 192.168.16.1 192.168.16.1 0x
Page 427 and 428:
Solution You configure MD5 authenti
Page 429 and 430:
Use the show ospf interface detail
Page 431 and 432:
With the default metric, traffic fr
Page 433 and 434:
12.12 Improving OSPF Convergence Ti
Page 435 and 436:
This output shows two BFD sessions
Page 437 and 438:
aviva@RouterG# commit aviva@RouterG
Page 439 and 440:
Jun 14 22:00:26 CHANGE 192.168.17.1
Page 441 and 442:
Jun 13 16:55:20 IP Route added with
Page 443 and 444:
list of ASs to see whether a route
Page 445 and 446:
E Route was originally learned from
Page 447 and 448:
Then configure an EBGP session to t
Page 449 and 450:
NLRI for this session: inet-unicast
Page 451 and 452:
Next is information about routes le
Page 453 and 454:
Looking at the remote peer router,
Page 455 and 456:
* 10.0.31.0/24 Self I * 172.19.121.
Page 457 and 458:
aviva@RouterE> show bgp summary Gro
Page 459 and 460:
to 10.0.31.1 via t1-0/0/3.0 10.0.29
Page 461 and 462:
lem with BGP itself. When the TCP s
Page 463 and 464:
13.4 Adjusting the Next-Hop Attribu
Page 465 and 466:
The first configuration in this rec
Page 467 and 468:
13.7 Prepending AS Numbers to the A
Page 469 and 470:
13.8 Filtering BGP Routes Based on
Page 471 and 472:
Translated, this match looks for fo
Page 473 and 474:
Type: External State: Established F
Page 475 and 476:
This recipe configures MD5 authenti
Page 477 and 478:
oute reflector system has a set of
Page 479 and 480:
10.0.24.0/24 *[BGP/170] 00:18:38, l
Page 481 and 482:
AS 65500 Sub-AS 65501 RouterF 192.1
Page 483 and 484:
figure-of-merit value correlates to
Page 485 and 486:
Once the routing policy is set up,
Page 487 and 488:
change, the router will unsuppress
Page 489 and 490:
See Also RFC 2439, BGP Route Flap D
Page 491 and 492:
You see that the route to 192.168.1
Page 493 and 494:
When setting up policies, also crea
Page 495 and 496:
} See Also next-hop 192.0.2.1; acce
Page 497 and 498:
Another restriction for multipath B
Page 499 and 500:
This forwarding table is then copie
Page 501 and 502:
BGP establishes the connection, fro
Page 503 and 504:
Chapter 14a CHAPTER 14 MPLS14 14.0
Page 505 and 506:
Layer 2 header MPLS header Layer 3
Page 507 and 508:
RouterG 192.168.19.1 Ingress router
Page 509 and 510:
The main difference between LDP and
Page 511 and 512:
family to the t1-4/0/0 interface; o
Page 513 and 514:
Also verify the MPLS-enabled interf
Page 515 and 516:
The first line of the output shows
Page 517 and 518:
aviva@RouterG> show configuration p
Page 519 and 520:
via t1-4/0/0.0, Push 100000 192.168
Page 521 and 522:
aviva@RouterG> show route forwardin
Page 523 and 524:
This recipe shows how to configure
Page 525 and 526:
Oct 5 19:25:52 Msg Hello (0x100), l
Page 527 and 528:
aviva@R3# set rsvp interface fxp0.0
Page 529 and 530:
fxp0 up up fxp0.0 up up inet 192.16
Page 531 and 532:
aviva@R1> show rsvp interface RSVP
Page 533 and 534:
y 13:31:06 the LSP was up and runni
Page 535 and 536:
10.0.0.6 10.0.0.1 Up 0 1 FF 3 - R1-
Page 537 and 538:
Solution On the ingress router, loo
Page 539 and 540:
for LSP signaling. On the egress an
Page 541 and 542:
Discussion There are several ways t
Page 543 and 544:
14.9 Verifying that the RSVP-Signal
Page 545 and 546:
14.11 Protecting an LSP’s Path Pr
Page 547 and 548:
RSVP RRO in the path calculation lo
Page 549 and 550:
The configuration allocates 50 Mbps
Page 551 and 552:
However, RSVP cannot establish the
Page 553 and 554:
Solution Fast reroute reduces packe
Page 555 and 556:
PATH sentto: 10.1.13.2 (so-0/0/2.0)
Page 557 and 558:
The RSVP interface status shows tha
Page 559 and 560:
14.13 Automatically Allocating Band
Page 561 and 562:
Then examine the history of the LSP
Page 563 and 564:
To understand how preemption works,
Page 565 and 566:
10.0.0.5 From: 10.0.0.1, State: Up,
Page 567 and 568:
9 Oct 14 10:51:20 Deselected as act
Page 569 and 570:
The router knows how to reach its i
Page 571 and 572:
10.1.13.1/32 *[Local/0] 2d 20:39:51
Page 573 and 574:
aviva@R1> clear log rsvp-trace-log
Page 575 and 576:
PATH rcvfrom: 10.1.13.2 (so-0/0/2.0
Page 577 and 578:
The discussion of Layer 3 VPNs invo
Page 579 and 580:
VPN, and routes announced by a remo
Page 581 and 582:
The third and final step is to conf
Page 583 and 584:
One last protocol that you need to
Page 585 and 586:
All routes that are part of the VPN
Page 587 and 588:
--- 192.168.13.1 ping statistics --
Page 589 and 590:
1 *[MPLS/0] 1d 18:03:41, metric 1 R
Page 591 and 592:
65500:3:10.0.31.0/24 *[BGP/170] 00:
Page 593 and 594:
emains private. When configuring th
Page 595 and 596:
} } peer-as 65500; neighbor 10.0.1.
Page 597 and 598:
The VPN2 routing table also knows n
Page 599 and 600:
Just to make sure that prefixes are
Page 601 and 602:
Multicast senders and receivers are
Page 603 and 604:
You administratively configure the
Page 605 and 606:
10.0.21.2/24 RouterB 192.168.12.1 R
Page 607 and 608:
IGMP Last Member Query Interval: 1.
Page 609 and 610:
Again, verify the configured group
Page 611 and 612:
willing to be an RP send RP Announc
Page 613 and 614:
JUNOS routers perform the encapsula
Page 615 and 616:
Now check the RP status on the rout
Page 617 and 618:
Also, make sure that the router’s
Page 619 and 620:
Check to see which RPs the various
Page 621 and 622:
The anycast PIM configuration is qu
Page 623 and 624:
Solution Specify the group address
Page 625 and 626:
The interfaces toward the multicast
Page 627 and 628:
Discussion Flags: sparse Upstream i
Page 629 and 630:
IGMP Query Response Interval: 10.0
Page 631 and 632:
If you are not sure that the domain
Page 633 and 634:
Discussion With PIM-SM, the RP in e
Page 635 and 636:
The full RIB group configuration lo
Page 637 and 638:
} address 192.168.19.1; # ping 224
Page 639 and 640:
Upstream interface: local Upstream
Page 641 and 642:
The first entry is for the source i
Page 643 and 644:
IGMP Last Member Query Interval: 1.
Page 645:
The command in this recipe is a sim
Page 648 and 649:
adjacencies (continued) IGPs and, 1
Page 650 and 651:
BGP (Border Gateway Protocol) (cont
Page 652 and 653:
configure command (continued) exclu
Page 654 and 655:
dotted quad notation, 248 down arro
Page 656 and 657:
firewall filters (continued) loggin
Page 658 and 659:
IBGP (internal BGP) (continued) LOC
Page 660 and 661:
IP multicast (continued) limiting g
Page 662 and 663:
Level 1 systems (IS-IS) authenticat
Page 664 and 665:
martian addresses/prefixes (continu
Page 666 and 667:
O Object Identifier (see OID) OID (
Page 668 and 669:
plain-text passwords (continued) JU
Page 670 and 671:
RFC (Request for Comment) on BGP, 4
Page 672 and 673:
outing tables (continued) checking
Page 674 and 675:
set route-filter command, 296 set r
Page 676 and 677:
show ospf interface command, 386, 3
Page 678 and 679:
ssh command, 3, 89 SSM (Source-Spec
Page 680 and 681:
tracing (trace logging) (continued)
Page 683:
About the Author Aviva Garrett has
show all

Discussion

Create successful ePaper yourself

Delete template?

Save as template?