Second JUNOS topology – SP Network

On May 30, 2012, in Juniper, by Darren

I bashed this up together as I wanted a topology I could easily jump on and do things. This is all running on logical systems on a single M10.

This is the logical topology (Click to view the full size image):

Juniper Lab Small Second JUNOS topology   SP Network
The actual physical topology is very simple:
Juniper SP Physical Second JUNOS topology   SP Network
The switch has been configured to run dot1q trunks to the M10 and I’ve created and allowed all needed vlan tags across.

I’ve used 2 different fastethernet PICs, but there is nothing stopping you from using just one. I’ve created a separate user account for each system so that I can log in with a user directly into each logical-system. Just adjust the config for your interfaces

This is my actual configuration itself:

set system login class J1-superuser logical-system J1
set system login class J1-superuser permissions all
set system login class J10-superuser logical-system J10
set system login class J10-superuser permissions all
set system login class J11-superuser logical-system J11
set system login class J11-superuser permissions all
set system login class J12-superuser logical-system J12
set system login class J12-superuser permissions all
set system login class J13-superuser logical-system J13
set system login class J13-superuser permissions all
set system login class J2-superuser logical-system J2
set system login class J2-superuser permissions all
set system login class J3-superuser logical-system J3
set system login class J3-superuser permissions all
set system login class J4-superuser logical-system J4
set system login class J4-superuser permissions all
set system login class J5-superuser logical-system J5
set system login class J5-superuser permissions all
set system login class J6-superuser logical-system J6
set system login class J6-superuser permissions all
set system login class J7-superuser logical-system J7
set system login class J7-superuser permissions all
set system login class J8-superuser logical-system J8
set system login class J8-superuser permissions all
set system login class J9-superuser logical-system J9
set system login class J9-superuser permissions all
set system login user USER1 uid 2000
set system login user USER1 class J1-superuser
set system login user USER1 authentication encrypted-password "$1$fEMYRcpU$ckP4LFp/joAmkQ1sLnQ1a0"
set system login user USER10 uid 2012
set system login user USER10 class J10-superuser
set system login user USER10 authentication encrypted-password "$1$LDmrPRX.$Nkk0p1Ou8h.p2FGMYLlne1"
set system login user USER11 uid 2017
set system login user USER11 class J11-superuser
set system login user USER11 authentication encrypted-password "$1$1RNXWIVL$VRfTSmnGaJIkUfHf0exW1/"
set system login user USER12 uid 2018
set system login user USER12 class J12-superuser
set system login user USER12 authentication encrypted-password "$1$.Nd48UM0$RZS1F/5Rp3DrdgN2sEGsY0"
set system login user USER13 uid 2019
set system login user USER13 class J13-superuser
set system login user USER13 authentication encrypted-password "$1$EODMZXa4$z2qvVh/p57DtJPv0NFyzx1"
set system login user USER2 uid 2003
set system login user USER2 class J2-superuser
set system login user USER2 authentication encrypted-password "$1$U/jh6hA/$pmtdTtpVmjSCiQ4khqvNa1"
set system login user USER3 uid 2009
set system login user USER3 class J3-superuser
set system login user USER3 authentication encrypted-password "$1$/T3X1azh$lZYZHo4ZVSQUQkcZYbZyg0"
set system login user USER4 uid 2010
set system login user USER4 class J4-superuser
set system login user USER4 authentication encrypted-password "$1$Gnf/qqpk$ntwqdXpCIrqb2GBf.jlHu/"
set system login user USER5 uid 2011
set system login user USER5 class J5-superuser
set system login user USER5 authentication encrypted-password "$1$V5u2xmGv$wywji87Ny6BYK5mryKPnL0"
set system login user USER6 uid 2013
set system login user USER6 class J6-superuser
set system login user USER6 authentication encrypted-password "$1$D6.zttrE$wBubykb76IPG1Pf89OCkL1"
set system login user USER7 uid 2014
set system login user USER7 class J7-superuser
set system login user USER7 authentication encrypted-password "$1$23BG/cYA$VTtS3i6TK7m/9VjU.ENJE0"
set system login user USER8 uid 2015
set system login user USER8 class J8-superuser
set system login user USER8 authentication encrypted-password "$1$c5cJZahO$mqIttBhdQdnuK6pf7RQxk0"
set system login user USER9 uid 2016
set system login user USER9 class J9-superuser
set system login user USER9 authentication encrypted-password "$1$pNo90Key$.3KVzcsuBLu9TI1ke93rh0"
set system login user darreno full-name "Darren O'Connor"
set system login user darreno uid 2002
set system login user darreno class super-user
set system login user darreno authentication encrypted-password "$1$lWD7BqVU$/51zXBjngOU3B/qQLgeLW1"
set system services ssh
set system services telnet
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set logical-systems J1 interfaces fe-0/0/0 unit 13 vlan-id 13
set logical-systems J1 interfaces fe-0/0/0 unit 13 family inet address 10.1.3.1/24
set logical-systems J1 interfaces fe-0/0/0 unit 15 vlan-id 15
set logical-systems J1 interfaces fe-0/0/0 unit 15 family inet address 10.1.8.1/24
set logical-systems J1 interfaces lo0 unit 1 family inet address 1.1.1.1/32
set logical-systems J10 interfaces fe-0/0/1 unit 56 vlan-id 56
set logical-systems J10 interfaces fe-0/0/1 unit 56 family inet address 10.56.56.10/24
set logical-systems J10 interfaces fe-1/3/0 unit 79 vlan-id 79
set logical-systems J10 interfaces fe-1/3/0 unit 79 family inet address 10.10.13.10/24
set logical-systems J10 interfaces fe-1/3/3 unit 72 vlan-id 72
set logical-systems J10 interfaces fe-1/3/3 unit 72 family inet address 10.10.12.10/24
set logical-systems J10 interfaces lo0 unit 10 family inet address 10.10.10.10/32
set logical-systems J11 interfaces fe-0/0/0 unit 51 vlan-id 51
set logical-systems J11 interfaces fe-0/0/0 unit 51 family inet address 10.8.11.11/24
set logical-systems J11 interfaces fe-0/0/1 unit 66 vlan-id 66
set logical-systems J11 interfaces fe-0/0/1 unit 66 family inet address 10.9.11.11/24
set logical-systems J11 interfaces fe-1/3/0 unit 16 vlan-id 16
set logical-systems J11 interfaces fe-1/3/0 unit 16 family inet address 10.11.12.11/24
set logical-systems J11 interfaces fe-1/3/0 unit 19 vlan-id 19
set logical-systems J11 interfaces fe-1/3/0 unit 19 family inet address 10.11.13.11/24
set logical-systems J11 interfaces lo0 unit 11 family inet address 11.11.11.11/32
set logical-systems J12 interfaces fe-0/0/0 unit 59 vlan-id 59
set logical-systems J12 interfaces fe-0/0/0 unit 59 family inet address 10.8.12.12/24
set logical-systems J12 interfaces fe-1/3/0 unit 72 vlan-id 72
set logical-systems J12 interfaces fe-1/3/0 unit 72 family inet address 10.10.12.12/24
set logical-systems J12 interfaces fe-1/3/3 unit 14 vlan-id 14
set logical-systems J12 interfaces fe-1/3/3 unit 14 family inet address 10.12.13.12/24
set logical-systems J12 interfaces fe-1/3/3 unit 16 vlan-id 16
set logical-systems J12 interfaces fe-1/3/3 unit 16 family inet address 10.11.12.12/24
set logical-systems J12 interfaces lo0 unit 12 family inet address 12.12.12.12/32
set logical-systems J13 interfaces fe-0/0/1 unit 63 vlan-id 63
set logical-systems J13 interfaces fe-0/0/1 unit 63 family inet address 10.9.13.13/24
set logical-systems J13 interfaces fe-1/3/0 unit 14 vlan-id 14
set logical-systems J13 interfaces fe-1/3/0 unit 14 family inet address 10.12.13.13/24
set logical-systems J13 interfaces fe-1/3/3 unit 19 vlan-id 19
set logical-systems J13 interfaces fe-1/3/3 unit 19 family inet address 10.11.13.13/24
set logical-systems J13 interfaces fe-1/3/3 unit 79 vlan-id 79
set logical-systems J13 interfaces fe-1/3/3 unit 79 family inet address 10.10.13.13/24
set logical-systems J13 interfaces lo0 unit 13 family inet address 13.13.13.13/32
set logical-systems J2 interfaces fe-0/0/0 unit 25 vlan-id 25
set logical-systems J2 interfaces fe-0/0/0 unit 25 family inet address 10.2.8.2/24
set logical-systems J2 interfaces lo0 unit 2 family inet address 2.2.2.2/32
set logical-systems J3 interfaces fe-0/0/1 unit 13 vlan-id 13
set logical-systems J3 interfaces fe-0/0/1 unit 13 family inet address 10.1.3.3/24
set logical-systems J3 interfaces fe-0/0/1 unit 36 vlan-id 36
set logical-systems J3 interfaces fe-0/0/1 unit 36 family inet address 10.3.9.3/24
set logical-systems J3 interfaces lo0 unit 3 family inet address 3.3.3.3/32
set logical-systems J4 interfaces fe-0/0/1 unit 46 vlan-id 46
set logical-systems J4 interfaces fe-0/0/1 unit 46 family inet address 10.4.9.4/24
set logical-systems J4 interfaces lo0 unit 4 family inet address 4.4.4.4/32
set logical-systems J5 interfaces fe-1/3/0 unit 56 vlan-id 56
set logical-systems J5 interfaces fe-1/3/0 unit 56 family inet address 10.56.56.5/24
set logical-systems J5 interfaces lo0 unit 5 family inet address 5.5.5.5/32
set logical-systems J6 interfaces fe-1/3/3 unit 56 vlan-id 56
set logical-systems J6 interfaces fe-1/3/3 unit 56 family inet address 10.56.56.6/24
set logical-systems J6 interfaces lo0 unit 6 family inet address 6.6.6.6/32
set logical-systems J7 interfaces fe-0/0/0 unit 56 vlan-id 56
set logical-systems J7 interfaces fe-0/0/0 unit 56 family inet address 10.56.56.7/24
set logical-systems J7 interfaces lo0 unit 7 family inet address 7.7.7.7/32
set logical-systems J8 interfaces fe-0/0/1 unit 15 vlan-id 15
set logical-systems J8 interfaces fe-0/0/1 unit 15 family inet address 10.1.8.8/24
set logical-systems J8 interfaces fe-0/0/1 unit 25 vlan-id 25
set logical-systems J8 interfaces fe-0/0/1 unit 25 family inet address 10.2.8.8/24
set logical-systems J8 interfaces fe-0/0/1 unit 51 vlan-id 51
set logical-systems J8 interfaces fe-0/0/1 unit 51 family inet address 10.8.11.8/24
set logical-systems J8 interfaces fe-0/0/1 unit 59 vlan-id 59
set logical-systems J8 interfaces fe-0/0/1 unit 59 family inet address 10.8.12.8/24
set logical-systems J8 interfaces lo0 unit 8 family inet address 8.8.8.8/32
set logical-systems J9 interfaces fe-0/0/0 unit 36 vlan-id 36
set logical-systems J9 interfaces fe-0/0/0 unit 36 family inet address 10.3.9.9/24
set logical-systems J9 interfaces fe-0/0/0 unit 46 vlan-id 46
set logical-systems J9 interfaces fe-0/0/0 unit 46 family inet address 10.4.9.9/24
set logical-systems J9 interfaces fe-0/0/0 unit 63 vlan-id 63
set logical-systems J9 interfaces fe-0/0/0 unit 63 family inet address 10.9.13.9/24
set logical-systems J9 interfaces fe-0/0/0 unit 66 vlan-id 66
set logical-systems J9 interfaces fe-0/0/0 unit 66 family inet address 10.9.11.9/24
set logical-systems J9 interfaces lo0 unit 9 family inet address 9.9.9.9/32
set interfaces fe-0/0/0 vlan-tagging
set interfaces fe-0/0/1 vlan-tagging
set interfaces fe-1/3/0 vlan-tagging
set interfaces fe-1/3/3 vlan-tagging
Tagged with:  

Getting started with JUNOS routing policy

On May 26, 2012, in Juniper, by Darren

Learning a manufactures’ OS is generally not too difficult once you’ve learnt one. After all OSPF is still OSPF. BGP is still BGP etc. Most of the time you just need to learn the configuration syntax for your local device and you’re good to go.

Some things can be quite different though. One of the bigger differences between IOS and JUNOS is how routes are advertised through IGP/BGP as well as redistributing routes from one protocol to another.

I wanted to go over some of the basics. In a later post I can get more complicated because it can start to get VERY complicated. For this mini lab I’ll have my current JUNOS topology and I’ll match it with an identical IOS config.

Juniper:
First Junos Getting started with JUNOS routing policy

Cisco:
IOS JUNOS1 Getting started with JUNOS routing policy

Each of the routers in the topology have a loopback address with their number in all octets. i.e. R1 is 1.1.1.1/32, R2 is 2.2.2.2/32 and so on.

R1, R2, and R5 are all running OSPF with each other. R5 is running eBGP with R3 and R4. R3 and R4 are in AS numbers 3 and 4 respectively and R3 is in AS3.

The first thing I want to do is advertise R4′s loopback address to R5. In IOS I could either configure a network statement, or I could redistribute connected through a route-map that matched the loopback. Let’s do the second for now and do the same for JUNOS.

IOS (R4):

route-map LOOPBACK permit 10
 match interface Loopback0
!
router bgp 4
 redistribute connected route-map LOOPBACK
 neighbor 10.45.45.5 remote-as 5

This route-map will match the address on R4′s loopback, then advertise that loopback to it’s BGP neighbours. The important thing to note is that the route-map has an implicit deny at the end. Hence if you just match something in the route-map, then anything not matching is denied.

Let’s take a quick look on R5 to see that we are seeing R4′s loopback:

R5#sh ip bgp | begin 4.4.4.4
*> 4.4.4.4/32       10.45.45.4               0             0 4 ?
R5#sh ip bgp 4.4.4.4
BGP routing table entry for 4.4.4.4/32, version 2
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Flag: 0x820
  Advertised to update-groups:
        1
  4
    10.45.45.4 from 10.45.45.4 (4.4.4.4)
      Origin incomplete, metric 0, localpref 100, valid, external, best

As expected, we are seeing R4′s loopback in our BGP table. We also notice the origin is ? (incomplete)

Let’s now do the same on JUNOS:
JUNOS(J4):

policy-statement ADVERTISE_LOOPBACK {
    from interface lo0.4;
    then accept;
}
protocols {
    bgp {
        group EXTERNAL {
            export ADVERTISE_LOOPBACK;
            local-as 4;
            neighbor 10.45.45.5 {
                peer-as 5;

In JUNOS I have created a policy statement that matches interface lo0.4 – I then have the action of accept which means to advertise if exported. Under the BGP process I then call this policy via an export statement. Essentially they are doing very similar things. However at this stage there is one BIG difference. In IOS, as noted above, a route-map has an implicit deny at the end of it. A route-policy on the other hand has the default protocol policy. I won’t go into all of the default policies as you can find them right here: http://www.juniper.net/techpubs/software/junos/junos94/swconfig-policy/default-routing-policies-and-actions.html

Let’s have a look on J5 to ensure we are seeing that loopback though:

USER5:J5> show route protocol bgp

inet.0: 15 destinations, 15 routes (15 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

4.4.4.4/32         *[BGP/170] 16:38:00, localpref 100
                      AS path: 4 I
                    > to 10.45.45.4 via fe-0/0/0.45

USER5:J5> show route 4.4.4.4/32 detail

inet.0: 15 destinations, 15 routes (15 active, 0 holddown, 0 hidden)
4.4.4.4/32 (1 entry, 1 announced)
        *BGP    Preference: 170/-101
                Next hop type: Router, Next hop index: 1061
                Address: 0x8f9c298
                Next-hop reference count: 2
                Source: 10.45.45.4
                Next hop: 10.45.45.4 via fe-0/0/0.45, selected
                State: 
                Peer AS:     4
                Age: 16:38:08
                Task: BGP_4_5.10.45.45.4+61939
                Announcement bits (2): 0-KRT 3-BGP RT Background
                AS path: 4 I
                Accepted
                Localpref: 100
                Router ID: 4.4.4.4

Another difference you’ll see is that JUNOS considers this route an internal route, not an incomplete route like IOS does.

Both OS’ allow you to manipulate attributes through the same route-map/route-policy. Let’s say we wanted to adjust the MED to 500 when advertising the loopback.
IOS:

R4#sh run | sec route-map
route-map LOOPBACK permit 10
 match interface Loopback0
 set metric +500


R5#sh ip bgp 4.4.4.4
BGP routing table entry for 4.4.4.4/32, version 3
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Advertised to update-groups:
        1
  4
    10.45.45.4 from 10.45.45.4 (4.4.4.4)
      Origin incomplete, metric 500, localpref 100, valid, external, best

JUNOS:

policy-options {
    policy-statement ADVERTISE_LOOPBACK {
        from interface lo0.4;
        then {
            metric add 500;
            accept;


USER5:J5> show route 4.4.4.4/32 detail

inet.0: 15 destinations, 15 routes (15 active, 0 holddown, 0 hidden)
4.4.4.4/32 (1 entry, 1 announced)
        *BGP    Preference: 170/-101
                Next hop type: Router, Next hop index: 1061
                Address: 0x8f9c298
                Next-hop reference count: 2
                Source: 10.45.45.4
                Next hop: 10.45.45.4 via fe-0/0/0.45, selected
                State: 
                Peer AS:     4
                Age: 15         Metric: 500
                Task: BGP_4_5.10.45.45.4+61939
                Announcement bits (2): 0-KRT 3-BGP RT Background
                AS path: 4 I
                Accepted
                Localpref: 100
                Router ID: 4.4.4.4

So route-policy is kind of like a route-map, but the same route-policy statement is also used for redistribution. Let’s now say we want to redistribute all OSPF routes into BGP. In IOS we would use redistribution, while in JUNOS we use route-policy again.

Let’s start with IOS again:

R5#sh run | sec router bgp
router bgp 5
 redistribute ospf 1

R4#show ip bgp | begin Network
   Network          Next Hop            Metric LocPrf Weight Path
*> 1.1.1.1/32       10.45.45.5              11             0 5 ?
*> 2.2.2.2/32       10.45.45.5              11             0 5 ?
*> 4.4.4.4/32       0.0.0.0                500         32768 ?
*> 5.5.5.5/32       10.45.45.5               0             0 5 ?
*> 10.12.12.0/24    10.45.45.5              11             0 5 ?
*> 10.15.15.0/24    10.45.45.5               0             0 5 ?
*> 10.21.21.0/24    10.45.45.5              20             0 5 ?
*> 10.25.25.0/24    10.45.45.5               0             0 5 ?

In JUNOS there is no redistribute command. Rather we use an export route-policy, and simply match OSPF routes:

policy-options {
    policy-statement OSPF2BGP {
        from protocol ospf;
        then accept;
protocols {
    bgp {
        local-as 5;
        group EXTERNAL {
            export OSPF2BGP;


USER4:J4> show route protocol bgp

inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32         *[BGP/170] 00:01:54, MED 1, localpref 100
                      AS path: 5 I
                    > to 10.45.45.5 via fe-0/0/1.45
2.2.2.2/32         *[BGP/170] 00:01:54, MED 1, localpref 100
                      AS path: 5 I
                    > to 10.45.45.5 via fe-0/0/1.45
10.12.12.0/24      *[BGP/170] 00:01:54, MED 2, localpref 100
                      AS path: 5 I
                    > to 10.45.45.5 via fe-0/0/1.45
10.21.21.0/24      *[BGP/170] 00:01:54, MED 2, localpref 100
                      AS path: 5 I
                    > to 10.45.45.5 via fe-0/0/1.45

I’ll be spending more time on route-policy in future, but for now this should do. In the end it’s really not that difficult, just different.

 

Okay it’s my own fault for not reading. I went ahead and purchased an Adaptive Services PIC and a Tunnel Services PIC for my lab M10. Turns out the Adaptive Services PIC needs an Enhanced FPC which the M10 doesn’t have, so I can’t use it.

The Tunnel Services PIC is supported, but the feature I specifically needed, logical tunnels, is again only supported on M routers with an Enhanced FPC. Out of interest you can only get an Enhanced FPC on M20s and above.

So, I’ve put them up for sale on ebay. If you know anyone who needs either of these please direct them to this ebay page

http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=110886811229&ssPageName=STRK:MESE:IT
http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=110886812719&ssPageName=STRK:MESE:IT

 

It’s well known that you can give your customer read-only access to the SNMP tree, but are you sure you want to give them that much information? Even though they can’t change anything, they are able to extract the full configuration, the full routing table and much much more.

As a test I set up SNMP read-only access to a Cisco box I have and ran a full snmpwalk on it. I extracted over 8Mb worth of text data, including full routing tables; ARP tables; OSPF tables etc…

Not only that, but while I was running the walk my device CPU was sitting pretty high:

Router#sh proc cpu sorted
CPU utilization for five seconds: 33%/3%; one minute: 76%; five minutes: 54%
PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process
210      121148      106996       1132 15.11% 44.65% 25.56%   0 SNMP ENGINE
107       70240      213991        328  7.35% 12.99% 11.51%   0 IP SNMP

Walking the entire SNMP tree also took almost 5 minutes.

So do you really want your customer to know that much? And secondly do you really want your customers monitoring system polling your devices for everything while your device sits with high CPU all the time?

I was testing with a few views this morning and came up with the following:

snmp-server view RESTRICT iso included
snmp-server view RESTRICT at.* excluded
snmp-server view RESTRICT ip.* excluded
snmp-server view RESTRICT ospf.* excluded
snmp-server community [community] view RESTRICT RO [acl]

When I polled using this community it took less than 5 seconds and gave me pretty much all the information I would want to give the customer. Be sure to restrict the protocol you’re actually using. I have restricted OSPF above.

Out of interest, an snmpwalk on my edge BGP router gives me a text file of 0.5GB!

Tagged with:  

Another one done.

This was a bit more difficult than the BCNE, but it’s still a pretty easy exam. Lot’s of QoS/MPLS/etc

bro edu3 cert serv prov net eng rgb Brocade Certified Service Provider Network Engineer

As noted I’ll be doing some Juniper stuff in the next couple of months while I wait for my passport to come. Watch this space :)

 

© 2009-2014 Darren O'Connor All Rights Reserved