Masood Ahmad Shah

Firewall Filter on Juniper's EX-series Switches

MTR on Juniper JUNOS

You may have used traceroute in a Micrsoft OS or in Unix.  It’s quite simple and can tell you a few things about the connection between you and any other device on the internet.
So what if the problem were intermittent, or traceroute did not show any problems because perhaps the choke point is experiencing intermittent bursts of data?  Enter MTR, the big brother to traceroute.  MTR (or My Trace Route) can show you a constant display of each link and how it’s holding up.

Since JUNOS 8.0 there is a new option which allows to run traceroute in a 'MTR-like' mode:

jahil@R1> traceroute monitor 4.2.2.2

where 4.2.2.2 is an IP or domain-name of the target host.

You can do a more intensive version of this through the JUNOS shell. Requires root access

jahil@R1> start shell
 % su
Password:
jahil@R1% mtr -i 0.02 4.2.2.2

Viewing default/hidden config on JUNOS

Would you like to see JUNOS defaults configuration. To view certain JUNOS default settings for dynamic profiles/system/services/applications, you must type the full command:

jahil@voyager# show configuration groups junos-defaults

Note: TAB/SPACE autocomplete does not work here :)

Cisco IOS 15.0 (new features).. Awesome

Cisco released IOS 15.0. This is the next major release after 12.4. It’s been over 4 years since Cisco has delivered a major release of IOS code.
The new features listed in the documentation include: 

•BGP Event Based VPN Import;
•BGP Per Neighbor Graceful Restart Configuration;
•BGP RT Changes Without PE-CE Neighbor Impact;
•BGP local convergence in MPLS VPN networks (the feature has already been available in 12.2 SRC, now it’s available on more platforms);
•Full BFD support, including static routes, BFD-in-VRF and BFD-over-Frame Relay (next step: test it on a 2800-series router);
•DHCP authentication;
•DMVPN tunnel health monitoring;
•EEM 3.1 (whatever that is, the EEM documentation hasn’t been updated yet);
•Interaction between IS-IS and LDP;
•OSPF graceful shutdown and OSPF TTL security check features are available on more platforms;
•Intra-zone traffic inspection in zone-based firewall;
•VRF Aware RSVP Agent and Gateway;
•WCCP: VRF Support;

nd many more http://www.cisco.com/en/US/docs/ios/15_0/15_0_1_m/15_0_1_m_newfeatlist.html#wp1055140 Good job; finally we have something new to play with :)

JUNOS Command Completion

The JUNOS command completion feature saves you lots of time and energy, and it provides syntax checking as you type. Gone are the days when you type a command on a line and after you press Enter the command is either invalid or not supported on that version of software. Any error or ambiguity will be detected early, and the router/switch will present a list of valid completions for the current command.

You can disable command completion on a per-login basis by modifying the CLI environment with an operational mode set cli command:

jahil@R1> set cli ?
Possible completions:
complete-on-space Set whether typing space completes current word

But a good reason to do so has not yet been noted.

You can evoke command completion by using either the space bar or the Tab key. Note that the Tab key also completes user-assigned variables such as interface names, IP addresses, firewall filters, and filenames.

Note: The most confusing thing about command completion is when to use space and when to use tab. The space bar is used until a variable is reached, at which time the Tab key is used to auto-complete the user variable for the filter name of test_JUNOS-JAHIL-FILTER.

Juniper's JUNOS Emacs style cursor movement/Page manipulation

Remember Juniper's JUNOS is heavily influenced by Unix, afterall it does sit on top of FreeBSD. You can use EMACS commands for cursor movement, which include:

Ctrl-a  Moves the cursor to the beginning of the command line, back to the prompt
Ctrl-e Moves the cursor to the end of the command line
Ctrl-b Moves the cursor back one character
Ctrl-k Delete everything from the current cursor position to the end of the line
Ctrl-x Delete the entrie line.
Ctrl-l Bring back the current line
Ctrl-p Scroll back through command history (analogous to up arrow)
Ctrl-n Scroll forward through command history (analogous to down arrow)
Ctrl-r Search command history for a string

Just like in GNU less you can

say you run a show, this has been pageanated, that is split into pages if the output of the command shows more than one screen. You can go all the way to end by hitting
G
similarly you can return to the first of the output by typing
g

You can also search for a string in the page by
/(your search string)

JUNOS Aggregated Ethernet Interfaces

Aggregated ethernet interface increases bandwidth, provides graceful degradation as failure occurs, and of course increases availability.

To configure an aggregated ethernet interface on Juniper's boxes, you can use the link aggregation feature to aggregate one or more links to form a virtual link.The client will treat this virtual link as if it were a single link.

To configure aggregated ethernet interfaces, using the JUNOS CLI:

1.Specify the number of aggregated ethernet interfaces to be created:

[edit chassis]
jahil@Voyager#set aggregated-devices device-count 2

2.Specify the minimum number of links for the aggregated Ethernet interface (aex):, that is, the defined bundle, to be labeled “up”: 

[edit interfaces]
jahil@Voyager#set ae0 aggregated-ether-options minimum-links 2

3.Specify the link speed for the aggregated ethernet bundle:

[edit interfaces]
jahil@Voyager#set ae0 aggregated-ether-options link-speed 1g

4.Specify the members to be included within the aggregated ethernet bundle:

[edit interfaces]
jahil@Voyager#set ge-0/1/0 ether-options 802.ad ae0
jahil@Voyager#set ge-1/1/0 ether-options 802.ad ae0

5.Specify an interface family for the aggregated ethernet bundle:

[edit interfaces]
jahil@Voyager#set ae0 unit 0 family inet address 1.1.1.1/24

Note: An interface with an already configured IP address cannot form part of the aggregation group.

Netflow on Juniper Router

On Juniper Router's if you want to sample all traffic, you don't really need a firewall filter, you can use the following simple form:

    ge-0/0/0 {
        unit 0 {
            family inet {
                sampling {
                    input;
                }
            }
        }
    }

Packet sampling can also be done by defining a firewall filter to accept and sample specific traffic, applying that rule to the interface and then configuring the sampling forwarding option. just like...

forwarding-options {
     sampling {
         input {
             family inet {
                 rate 100; /* packet sampling rate */
             }
         }
         output {
             cflowd <flow collector IP address> {
                 port 9991; /* port number */
                 source-address <source IP>;
                 version 5;  /* netflow version number */
             }
             flow-active-timeout 60; /*the tool you're using may want something different */
             }
         }
}

These settings are per-interface:

interfaces {
   <interface> {
    family inet {
   sampling {
    input;
   }
   ...
    }
    ...
      }
     ...
  }

Note: If you want to use Jflow on M Series routers you will have to buy specialised hardware (AS/MS PIC or you can buy an M7i with embedded AS PIC).

One can use Jflow on the RE, but I personally don't reccomend it as you could flood out routing updates etc. Hardware wise you'd probably be best off with one of the new MultiService PICs (PE-MS-100-1 would fit). More info about the MS PICs can be found here: http://www.juniper.net/us/en/local/pdf/datasheets/1000199-en.pdf

With regards to licencing you will need a licence (S-ACCT) for use with AS or MS PICs.

 

Randy Bush on IPv6 Deployment

Great interview with Randy Bush. Very interesting thoughts about costs experienced when hitting the IPv4 wall

Normal 0 false false false EN-US X-NONE X-NONE MicrosoftInternetExplorer4

Randy Bush on IPv6 Deployment

Randy Bush, of Internet Initiative Japan Inc. (IIJ) in Japan, discusses IPv6 deployment. It includes practical information on the challenges, costs and planning of rolling out IPv6.  

What Cisco code version to run?

Which Cisco IOS software version should I be using? Well no can answer this straight away. But Cisco offers the most software tools for its IOS routers so many of these tools are only for them. Here are some of the best tools and research sites for finding the code version you need on your Cisco security products.

• IOS software Advisor Tool - An excellent tool for getting automated advice on the best IOS code to use. I highly recommend the Research Software tab within this tool.
• Cisco IOS Reference Guide – This indispensable guide explains all aspects of how IOS is packaged, what feature sets mean, how to make sense of the IOS numbering scheme, how to interpret what each character in an IOS image name means, and more.
• Cisco Bug Toolkit - Your tool for doing code bug scrubs for all Cisco security products. I highly recommend you check the advanced options button. This gives you many more options to use in your research.
• Feature Navigator - Allows you to find what IOS code exactly matches the features you require. Allows you to compare two images side by side.
• Product Alert Tool - sign up to receive PSIRT security alerts for IOS and other Cisco products.
• Intellishield PSIRT search tool - Use this tool to find security alerts on Cisco’s security products. Use the keyword field to input the product name you are looking for.
• Cisco Field Notices - Field Notices are notifications that are published for significant issues, other than security vulnerability related issues, and typically require an upgrade, work-around, or other customer action. Be sure to check these notices as part of our research.
• Product Release Notes – The best way to find these is to use the CCO search tool. A good search pattern to use is “release notes
  ”. For example, “release notes asa 8.0.4”. Be sure to pay careful attention to the open caveats section of the release note.
• Cisco Discussion Forums - These forums are a good place to ask questions to your peers and to Cisco.

Configuring the Juniper Media, IP & MPLS MTU

Here I have some information on MTU Juniper, I had investigated it for a customer while ago. The actual frames transmitted also contain cyclic redundancy check (CRC) bits, which are not part of the media MTU. For example, the media MTU for a Gigabit Ethernet interface is specified as 1500 bytes, but the largest possible frame size is actually 1504 bytes; you need to consider the extra bits in calculations of MTUs for interoperability.

 

JUNOS annotate

Adding comments to configuration is always tricky with network devices. Annotate is just one of many cool features in JUNOS. The JUNOS CLI lets you leave comments about the configuration as a part of its listing. The comments can be quite handy when you or other team members are trying to troubleshoot a problem or need to make configuration changes. Use annotate followed by your note when you want to include comments:

[edit]
jahil@R1# annotate system this device is for training JAHIL JUNOS users

When you add comments in configuration mode, they are associated with a statement at the current level. Each statement can have one single-line comment associated with it. To delete a comment, use the annotate command with an empty string:

[edit]
jahil@R1# annotate system ""

Scripting for Switches/Routers

The advantage of having a scripting language on your router seems to come in pretty handy sometimes (though I bet most people don’t really use the Tcl interpreter on their Cisco’s). I have been using TCL scripts for ages. The new EEM is just heavenly, you can trigger on almost everything. Even add your own syslog messages or create menus for low-level NOC engineers.

Event tracking and management has traditionally been performed by devices external to the networking device. Cisco Embedded Event Manager (EEM) has been designed to offer event management capability directly in Cisco IOS devices. The on-device, proactive event management capabilities of EEM are useful because not all event management can be done off router because some problems compromise communication between the router and the external network management device. Capturing the state of the router during such situations can be invaluable in taking immediate recovery actions and gathering information to perform root-cause analysis. Network availability is also improved if automatic recovery actions are performed without the need to fully reboot the routing device.

I like what I see. I would love it if this tool could be integrated with PERL (TCL is a good move though) for Cisco IOS so that I could have everything in one place (It might requires dual CPU or HT on Cisco routers for better performance! lols)

I just can't wait to have the same feature in Juniper's JUNOS.

I just got engaged!

So I just got engaged on Friday.. very exciting. We are planning on having Winter 09/10 wedding, so it will be a 7|8 months engagement.

MPLS-in-GRE & MPLS-in-IP

JUNOS now support MPLS-in-GRE & MPLS-in-IP. You guys can now encapsulate the MPLS label stack for a packet with an IP header, making it possible to tunnel MPLS over networks that do not have MPLS enabled on their core routers.

The JUNOS software supports both types of IP-based encapsulations: MPLS-in-IP and MPLS-in-GRE. JUNOS can both push the IP-based encapsulation on MPLS packets at the ingress of an IP tunnel and pop the IP-based encapsulation at the egress.

For JUNOS Release 9.4, support was added for the M120 and M320 routers. To tunnel MPLS-labeled packets over a non-MPLS-enabled IP network, configure the family mpls statement at the [edit interfaces interface-name unit unit-number] hierarchy level.