Discussion

More documents

Recommendations

Info

+ protocol Match IP protocol type + protocol-except Do not match IP protocol type > source-address Match IP source address + source-class Match source class + source-class-except Do not match source class + source-port Match TCP/UDP source port + source-port-except Do not match TCP/UDP source port > source-prefix-list Match IP source prefixes in named list tcp-established Match packet of an established TCP connection tcp-flags Match TCP flags tcp-initial Match initial packet of a TCP connection You use the separate keyword with all match conditions that do not have an -except version. 9.10 Reordering Firewall Terms Problem You want to change the order of terms in a firewall filter. Solution Use the CLI insert command to rearrange the terms in a firewall filter: [edit firewall filter incoming-to-me] aviva@RouterF# insert term restrict-bgp before term restrict-telnet-ssh <strong>Discussion</strong> One difference between routing policies and firewall filters is that while you can apply several routing policies to a routing protocol, chaining them together as necessary, you can apply only one incoming and one outgoing firewall filter to an interface. This means that firewall filters generally contain a large number of terms. As with routing policies, the order of the terms in a firewall filter is significant. Packets are tested against each term in the order. For performance and packet-handling efficiency, design each filter so the most important or time-critical packets are processed first. When you add a term to an existing filter, it appears at the end: [edit firewall filter incoming-to-me] aviva@router1# set term restrict-bgp from protocol tcp aviva@router1# set term restrict-bgp from port bgp aviva@router1# set term restrict-bgp from source-address 10.0.31.0/24 aviva@router1# set term restrict-bgp then accept aviva@router1# show term restrict-telnet-ssh { from { source-address { 10.0.0.0/8; } 310 | Chapter 9: Routing Policy and Firewall Filters This is the Title of the Book, eMatter Edition Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved.
protocol tcp; destination-port [ telnet ssh ]; } then accept; } term restrict-bgp { from { source-address { 10.0.31.0/24; } protocol tcp; port bgp; } then accept; } Use the insert command to rearrange the terms. The command in this recipe moves the restrict-bgp term so that it precedes the restrict-telnet-ssh term. Check that the order is what you expect: [edit firewall filter incoming-to-me] aviva@RouterF# show term restrict-bgp { from { source-address { 10.0.31.0/24; } protocol tcp; port bgp; } then accept; } term restrict-telnet-ssh { from { source-address { 10.0.0.0/8; } protocol tcp; destination-port [ telnet ssh ]; } then accept; } 9.11 Filtering Traffic Transiting the Router Problem For traffic transiting through the router, you want to accept packets only from trusted hosts and routers. Filtering Traffic Transiting the Router | 311 This is the Title of the Book, eMatter Edition Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved.
Page 3 and 4:
JUNOS Cookbook
Page 5 and 6:
JUNOS Cookbook Aviva Garrett Beijin
Page 7 and 8:
Table of Contents Foreword . . . .
Page 9 and 10:
3. IPSec . . . . . . . . . . . . .
Page 11 and 12:
8.5 Creating Static Routes 263 8.6
Page 13 and 14:
13.5 Adjusting Local Preference Val
Page 15 and 16:
Foreword The early days at Juniper
Page 17 and 18:
Throughout 1997 and early 1998, all
Page 19 and 20:
Preface1 Over the past decade, netw
Page 21 and 22:
Organization As the name suggests,
Page 23 and 24:
Constant width Used for code sectio
Page 25 and 26:
Chapter 1 CHAPTER 1 Router Configur
Page 27 and 28:
You can use a number of operational
Page 29 and 30:
The show command displays the items
Page 31 and 32:
Each listed completion is the confi
Page 33 and 34:
command on the left side of the pip
Page 35 and 36:
The > tells you that you are in ope
Page 37 and 38:
} } } root@# commit root@router1# e
Page 39 and 40:
For the initial router configuratio
Page 41 and 42:
At this point in configuring the ro
Page 43 and 44:
1.4 Displaying the Commands to Recr
Page 45 and 46:
Discussion It is generally good pra
Page 47 and 48:
is often the first thing to check w
Page 49 and 50:
In this example, the error is in th
Page 51 and 52:
To track down what changed in the c
Page 53 and 54:
Solution Use the following command
Page 55 and 56:
login { class superuser-local { per
Page 57 and 58:
If PIM is not yet configured, merge
Page 59 and 60:
You can also save it to a file in y
Page 61 and 62:
These files are also compressed. av
Page 63 and 64:
You see that the running configurat
Page 65 and 66:
Solution The rollback configuration
Page 67 and 68:
See Also Recipe 1.17 1.19 Backing U
Page 69 and 70:
ad1 11513 MB IBM-DARA-212000 AH0AHG
Page 71 and 72:
J-series filesystems on a device co
Page 73 and 74:
1.22 Installing a Different Softwar
Page 75 and 76:
Use the request system software add
Page 77 and 78:
support site (http://www.juniper.ne
Page 79 and 80:
JUNOS 7.0 was released in the fourt
Page 81 and 82:
Some of the main processes are MGD,
Page 83 and 84:
switching board (the SSB), and two
Page 85 and 86:
1.28 Gathering Information Before C
Page 87 and 88:
The apply-groups statement causes t
Page 89 and 90:
} } } address 10.0.16.1/24; Finally
Page 91 and 92:
The commit synchronize command comm
Page 93 and 94:
modules/ packages/ proc/ root/ sbin
Page 95 and 96:
At this point, you can also upgrade
Page 97 and 98:
lets them gain access to the router
Page 99 and 100:
client/server systems—the RADIUS
Page 101 and 102:
You need to enable FTP only if you
Page 103 and 104:
use of the root account. Logging in
Page 105 and 106:
A slight twist to this recipe is to
Page 107 and 108:
Also, you will not be able to commi
Page 109 and 110:
Solution Set all plain-text passwor
Page 111 and 112:
Discussion When you want users to b
Page 113 and 114:
individual user accounts with passw
Page 115 and 116:
ead-only Can perform all actions in
Page 117 and 118:
If you try to enter a command that
Page 119 and 120:
aviva@router1# set class operator-p
Page 121 and 122:
If you use a centralized server, it
Page 123 and 124:
aviva@RouterF# set term ssh-telnet
Page 125 and 126:
statement in the configuration, whi
Page 127 and 128:
een idle, and what they are doing.
Page 129 and 130:
Mike would be logged out: mike@rout
Page 131 and 132:
Encryption, which is the encoding o
Page 133 and 134:
networks, it does not scale well. A
Page 135 and 136:
} } [edit interfaces] es-3/0/0 { #
Page 137 and 138:
have to set up an IKE SA and a fire
Page 139 and 140:
Here’s what the relevant portions
Page 141 and 142:
Finally, configure the domain’s I
Page 143 and 144:
Configure the security gateway rout
Page 145 and 146:
[edit protocols ospf area 0.0.0.0]
Page 147 and 148:
Then, configure the IPSec tunnel to
Page 149 and 150:
Issuer: Organization: mycompany, Co
Page 151 and 152:
Alternate subject: RouterB.mycompan
Page 153 and 154:
Chapter 4 CHAPTER 4 SNMP4 4.0 Intro
Page 155 and 156:
juniperMIB, which is the top node o
Page 157 and 158:
Juniper Networks provides several d
Page 159 and 160:
4.2 Setting Router Information for
Page 161 and 162:
Table 4-1. SNMP trap categories Key
Page 163 and 164:
Solution You can add a term to the
Page 165 and 166:
You might want to give access to al
Page 167 and 168:
aviva@router1> show snmp mib get "j
Page 169 and 170:
4.9 Collecting Router Operational I
Page 171 and 172:
CPU utilization: User 0 percent Bac
Page 173 and 174:
Table 4-2. System logging severity
Page 175 and 176:
Discussion RMON is an SNMP specific
Page 177 and 178:
See Also RFC 2819, Remote Network M
Page 179 and 180:
nms1 sha/3des nonvolatile active Gr
Page 181 and 182:
Again, this recipe is somewhat invo
Page 183 and 184:
Finally, configure which traps the
Page 185 and 186:
} notify chassis-notification-list
Page 187 and 188:
Some are the same as those used by
Page 189 and 190:
Solution Use the following commands
Page 191 and 192:
5.2 Limiting the Messages Collected
Page 193 and 194:
Discussion The default maximum size
Page 195 and 196:
no longer need. Here, we logged RIP
Page 197 and 198:
Discussion This configuration redir
Page 199 and 200:
This command causes all messages se
Page 201 and 202:
Apr 29 22:55:16 router xntpd[4977]:
Page 203 and 204:
The traceoption flags indicate the
Page 205 and 206:
Chapter 6 CHAPTER 6 NTP6 6.0 Introd
Page 207 and 208:
6.2 Setting the Time Zone Problem Y
Page 209 and 210:
Engine boots, the ntpdate utility r
Page 211 and 212:
You can also have all the routers s
Page 213 and 214:
6.6 Checking NTP Status Problem You
Page 215 and 216:
Chapter 7 CHAPTER 7 Router Interfac
Page 217 and 218:
under the name of the interface and
Page 219 and 220:
Solution Use the show interfaces co
Page 221 and 222:
the physical interface. It allows y
Page 223 and 224:
Solution The show interfaces extens
Page 225 and 226:
Broadcast packets 0 [0] Multicast p
Page 227 and 228:
Input packets : 5 Output packets: 5
Page 229 and 230:
1.0.12.2/30 so-1/0/0 Mars 1.0.0.1/3
Page 231 and 232:
To remove an extra IP address, use
Page 233 and 234:
Discussion For MPLS traffic to tran
Page 235 and 236:
Flags: None Addresses, Flags: Is-Pr
Page 237 and 238:
Solution Configure the router’s m
Page 239 and 240:
On an M-series or a T-series router
Page 241 and 242:
You can confirm the presence of the
Page 243 and 244:
Protocol inet6, MTU: 1500 Flags: Is
Page 245 and 246:
Solution Use the Virtual Router Red
Page 247 and 248:
Solution There are three steps to s
Page 249 and 250:
7.16 Configuring T1 Interfaces Prob
Page 251 and 252:
Run the loopback test, which sends
Page 253 and 254:
7.18 Setting Up a BERT Test on a T1
Page 255 and 256:
You can configure an error rate to
Page 257 and 258:
Discussion Synchronous Optical Netw
Page 259 and 260:
SEF 22 182 OK LOS 22 1 OK LOF 22 1
Page 261 and 262:
Use the show aps command to check t
Page 263 and 264:
type of ATM PIC, the configuration
Page 265 and 266:
gre up ipip up lo0 up up lo0.0 up u
Page 267 and 268:
Solution Add the new interface to t
Page 269 and 270:
While this does what you want, it m
Page 271 and 272:
When a single routing protocol prov
Page 273 and 274:
IPv6 uses 128-bit addresses that co
Page 275 and 276:
8.1 Viewing the Routes in the Routi
Page 277 and 278:
oute is learned from a dynamic rout
Page 279 and 280:
} } family iso { address 49.0020.19
Page 281 and 282:
8.2 Viewing Routes to a Particular
Page 283 and 284: 8.3 Viewing Routes Learned from a S
Page 285 and 286: ff00::/8 perm 0 mdsc 53 1 ff02::1/1
Page 287 and 288: The actual forwarding tables that t
Page 289 and 290: and the traffic to these networks i
Page 291 and 292: Attacker A B Target Real source add
Page 293 and 294: Check the firewall filter counts wi
Page 295 and 296: Solution Create a routing policy th
Page 297 and 298: Discussion Martian addresses are pr
Page 299 and 300: Solution After configuring both OSP
Page 301 and 302: To verify the preference change, lo
Page 303 and 304: Peer supports Refresh capability (2
Page 305 and 306: This recipe shows how to enable gra
Page 307 and 308: Because the policy and filter condi
Page 309 and 310: then accept; } } } protocols { ospf
Page 311 and 312: The first command in the recipe def
Page 313 and 314: [edit] aviva@router1# set protocols
Page 315 and 316: Table 9-4. Actions that change rout
Page 317 and 318: (called longest-match lookup), so t
Page 319 and 320: aviva@router1# set term 2 then reje
Page 321 and 322: See Also IANA, http://www.iana.org/
Page 323 and 324: the community string from the route
Page 325 and 326: used to verify that the router is m
Page 327 and 328: } } Discussion } } Placing firewall
Page 329 and 330: Table 9-5. Header match conditions
Page 331 and 332: counterintuitive. However, understa
Page 333: protocol-except tcp; } then { count
Page 337 and 338: Firewall filter terms are evaluated
Page 339 and 340: 9.12 Using a Firewall Filter to Cou
Page 341 and 342: 04:58:41 pfe A t1-0/0/3.0 TCP 10.0.
Page 343 and 344: which traffic is more important and
Page 345 and 346: The next term allows TCP traffic: [
Page 347 and 348: Routing Engine, you want to make su
Page 349 and 350: from { source-address { 10.0.8.0/24
Page 351 and 352: 9.16 Rate-Limiting Traffic Flow to
Page 353 and 354: list of IP addresses in one place i
Page 355 and 356: lished TCP connections and you sudd
Page 357 and 358: By default, the JUNOS software impl
Page 359 and 360: } } } neighbor fe-0/0/0.0; neighbor
Page 361 and 362: 10.0.0.0/24 *[Direct/0] 2w4d 23:05:
Page 363 and 364: The routing policy you set up is a
Page 365 and 366: so the inbound metrics are 1. The m
Page 367 and 368: can use it in the authentication-ke
Page 369 and 370: 10.6 Sending Version 1 Update Messa
Page 371 and 372: Mar 31 10:11:13 Group beta-rip-grou
Page 373 and 374: Chapter 11 CHAPTER 11 IS-IS11 11.0
Page 375 and 376: oundary. This means that the IS-IS
Page 377 and 378: might be useful when migrating two
Page 379 and 380: Interface System L State Hold (secs
Page 381 and 382: RouterA.02-00 0x59 0xeda9 632 L1 L2
Page 383 and 384: The next four lines show the IP pre
Page 385 and 386:
configuring the preference statemen
Page 387 and 388:
11.5 Configuring a Level 1-Only Rou
Page 389 and 390:
11.6 Controlling DIS Election Probl
Page 391 and 392:
key, or password, for each interfac
Page 393 and 394:
} } from protocol static; then acce
Page 395 and 396:
Again, we expect the metric to chan
Page 397 and 398:
RouterA Level 2 RouterB Level 2 Rou
Page 399 and 400:
Increasing the IS-IS cost of Router
Page 401 and 402:
11.12 Moving IS-IS Traffic off a Ro
Page 403 and 404:
11.14 Tracing IS-IS Protocol Traffi
Page 405 and 406:
Using some of the other flags, you
Page 407 and 408:
OSPF views routers as nodes, which
Page 409 and 410:
Area 0.0.0.0 RouterG lo0:192.168.19
Page 411 and 412:
Another common problem in establish
Page 413 and 414:
The route entries starting with [OS
Page 415 and 416:
entries that originated from the lo
Page 417 and 418:
OSPF network. Route 192.168.18.1:0.
Page 419 and 420:
Checking on RouterA at the other en
Page 421 and 422:
192.168.19.1/32 *[Direct/0] 3d 01:5
Page 423 and 424:
The routers in the stub area no lon
Page 425 and 426:
Router 192.168.16.1 192.168.16.1 0x
Page 427 and 428:
Solution You configure MD5 authenti
Page 429 and 430:
Use the show ospf interface detail
Page 431 and 432:
With the default metric, traffic fr
Page 433 and 434:
12.12 Improving OSPF Convergence Ti
Page 435 and 436:
This output shows two BFD sessions
Page 437 and 438:
aviva@RouterG# commit aviva@RouterG
Page 439 and 440:
Jun 14 22:00:26 CHANGE 192.168.17.1
Page 441 and 442:
Jun 13 16:55:20 IP Route added with
Page 443 and 444:
list of ASs to see whether a route
Page 445 and 446:
E Route was originally learned from
Page 447 and 448:
Then configure an EBGP session to t
Page 449 and 450:
NLRI for this session: inet-unicast
Page 451 and 452:
Next is information about routes le
Page 453 and 454:
Looking at the remote peer router,
Page 455 and 456:
* 10.0.31.0/24 Self I * 172.19.121.
Page 457 and 458:
aviva@RouterE> show bgp summary Gro
Page 459 and 460:
to 10.0.31.1 via t1-0/0/3.0 10.0.29
Page 461 and 462:
lem with BGP itself. When the TCP s
Page 463 and 464:
13.4 Adjusting the Next-Hop Attribu
Page 465 and 466:
The first configuration in this rec
Page 467 and 468:
13.7 Prepending AS Numbers to the A
Page 469 and 470:
13.8 Filtering BGP Routes Based on
Page 471 and 472:
Translated, this match looks for fo
Page 473 and 474:
Type: External State: Established F
Page 475 and 476:
This recipe configures MD5 authenti
Page 477 and 478:
oute reflector system has a set of
Page 479 and 480:
10.0.24.0/24 *[BGP/170] 00:18:38, l
Page 481 and 482:
AS 65500 Sub-AS 65501 RouterF 192.1
Page 483 and 484:
figure-of-merit value correlates to
Page 485 and 486:
Once the routing policy is set up,
Page 487 and 488:
change, the router will unsuppress
Page 489 and 490:
See Also RFC 2439, BGP Route Flap D
Page 491 and 492:
You see that the route to 192.168.1
Page 493 and 494:
When setting up policies, also crea
Page 495 and 496:
} See Also next-hop 192.0.2.1; acce
Page 497 and 498:
Another restriction for multipath B
Page 499 and 500:
This forwarding table is then copie
Page 501 and 502:
BGP establishes the connection, fro
Page 503 and 504:
Chapter 14a CHAPTER 14 MPLS14 14.0
Page 505 and 506:
Layer 2 header MPLS header Layer 3
Page 507 and 508:
RouterG 192.168.19.1 Ingress router
Page 509 and 510:
The main difference between LDP and
Page 511 and 512:
family to the t1-4/0/0 interface; o
Page 513 and 514:
Also verify the MPLS-enabled interf
Page 515 and 516:
The first line of the output shows
Page 517 and 518:
aviva@RouterG> show configuration p
Page 519 and 520:
via t1-4/0/0.0, Push 100000 192.168
Page 521 and 522:
aviva@RouterG> show route forwardin
Page 523 and 524:
This recipe shows how to configure
Page 525 and 526:
Oct 5 19:25:52 Msg Hello (0x100), l
Page 527 and 528:
aviva@R3# set rsvp interface fxp0.0
Page 529 and 530:
fxp0 up up fxp0.0 up up inet 192.16
Page 531 and 532:
aviva@R1> show rsvp interface RSVP
Page 533 and 534:
y 13:31:06 the LSP was up and runni
Page 535 and 536:
10.0.0.6 10.0.0.1 Up 0 1 FF 3 - R1-
Page 537 and 538:
Solution On the ingress router, loo
Page 539 and 540:
for LSP signaling. On the egress an
Page 541 and 542:
Discussion There are several ways t
Page 543 and 544:
14.9 Verifying that the RSVP-Signal
Page 545 and 546:
14.11 Protecting an LSP’s Path Pr
Page 547 and 548:
RSVP RRO in the path calculation lo
Page 549 and 550:
The configuration allocates 50 Mbps
Page 551 and 552:
However, RSVP cannot establish the
Page 553 and 554:
Solution Fast reroute reduces packe
Page 555 and 556:
PATH sentto: 10.1.13.2 (so-0/0/2.0)
Page 557 and 558:
The RSVP interface status shows tha
Page 559 and 560:
14.13 Automatically Allocating Band
Page 561 and 562:
Then examine the history of the LSP
Page 563 and 564:
To understand how preemption works,
Page 565 and 566:
10.0.0.5 From: 10.0.0.1, State: Up,
Page 567 and 568:
9 Oct 14 10:51:20 Deselected as act
Page 569 and 570:
The router knows how to reach its i
Page 571 and 572:
10.1.13.1/32 *[Local/0] 2d 20:39:51
Page 573 and 574:
aviva@R1> clear log rsvp-trace-log
Page 575 and 576:
PATH rcvfrom: 10.1.13.2 (so-0/0/2.0
Page 577 and 578:
The discussion of Layer 3 VPNs invo
Page 579 and 580:
VPN, and routes announced by a remo
Page 581 and 582:
The third and final step is to conf
Page 583 and 584:
One last protocol that you need to
Page 585 and 586:
All routes that are part of the VPN
Page 587 and 588:
--- 192.168.13.1 ping statistics --
Page 589 and 590:
1 *[MPLS/0] 1d 18:03:41, metric 1 R
Page 591 and 592:
65500:3:10.0.31.0/24 *[BGP/170] 00:
Page 593 and 594:
emains private. When configuring th
Page 595 and 596:
} } peer-as 65500; neighbor 10.0.1.
Page 597 and 598:
The VPN2 routing table also knows n
Page 599 and 600:
Just to make sure that prefixes are
Page 601 and 602:
Multicast senders and receivers are
Page 603 and 604:
You administratively configure the
Page 605 and 606:
10.0.21.2/24 RouterB 192.168.12.1 R
Page 607 and 608:
IGMP Last Member Query Interval: 1.
Page 609 and 610:
Again, verify the configured group
Page 611 and 612:
willing to be an RP send RP Announc
Page 613 and 614:
JUNOS routers perform the encapsula
Page 615 and 616:
Now check the RP status on the rout
Page 617 and 618:
Also, make sure that the router’s
Page 619 and 620:
Check to see which RPs the various
Page 621 and 622:
The anycast PIM configuration is qu
Page 623 and 624:
Solution Specify the group address
Page 625 and 626:
The interfaces toward the multicast
Page 627 and 628:
Discussion Flags: sparse Upstream i
Page 629 and 630:
IGMP Query Response Interval: 10.0
Page 631 and 632:
If you are not sure that the domain
Page 633 and 634:
Discussion With PIM-SM, the RP in e
Page 635 and 636:
The full RIB group configuration lo
Page 637 and 638:
} address 192.168.19.1; # ping 224
Page 639 and 640:
Upstream interface: local Upstream
Page 641 and 642:
The first entry is for the source i
Page 643 and 644:
IGMP Last Member Query Interval: 1.
Page 645:
The command in this recipe is a sim
Page 648 and 649:
adjacencies (continued) IGPs and, 1
Page 650 and 651:
BGP (Border Gateway Protocol) (cont
Page 652 and 653:
configure command (continued) exclu
Page 654 and 655:
dotted quad notation, 248 down arro
Page 656 and 657:
firewall filters (continued) loggin
Page 658 and 659:
IBGP (internal BGP) (continued) LOC
Page 660 and 661:
IP multicast (continued) limiting g
Page 662 and 663:
Level 1 systems (IS-IS) authenticat
Page 664 and 665:
martian addresses/prefixes (continu
Page 666 and 667:
O Object Identifier (see OID) OID (
Page 668 and 669:
plain-text passwords (continued) JU
Page 670 and 671:
RFC (Request for Comment) on BGP, 4
Page 672 and 673:
outing tables (continued) checking
Page 674 and 675:
set route-filter command, 296 set r
Page 676 and 677:
show ospf interface command, 386, 3
Page 678 and 679:
ssh command, 3, 89 SSM (Source-Spec
Page 680 and 681:
tracing (trace logging) (continued)
Page 683:
About the Author Aviva Garrett has
show all

Discussion

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?