Category: Juniper

AS-path filtering

Cisco way:

ip as-path access-list 1 deny _1234$
ip as-path access-list 1 deny _5678$
ip as-path access-list 1 permit .*

router bgp 100
neighbor 192.168.0.1 remote-as 200
neighbor 192.168.0.1 des ebgp-test
neighbor 192.168.0.1 filter-list 1 in

Juniper way:

protocols {
bgp {
group “ebgp-test” {
type external;
import test-in;
peer-as 200;
neighbor 192.168.0.1 {
}
}
policy-options {
policy-statement test {
from as-path [test test1];
then reject;
}
set policy-options as-path a “.*1234″
set policy-options as-path b “.*5678″
}

Tags: as-path, bgp, Cisco, deny, ip, Juniper, neighbor, peer-as, policy-options, protocols
Posted in Cisco, Juniper | No Comments »
Juniper Interfaces names

Interfaces

ae: Aggregated Ethernet A virtual aggregated link.
as: Aggregated SONET/SDH A virtual aggregated link.
at: ATM1 or ATM2 IQ Asynchronous Transfer Mode
cau4: Channelized AU-4 IQ Configured on the Channelized STM-1 IQ PIC.
coc1: Channelized OC-1 IQ Configured on the Channelized OC-12 IQ PIC.
coc12: Channelized OC-12 IQ Configured on the Channelized OC-12 IQ PIC.
cstm1: Channelized STM-1 IQ Configured on the Channelized STM-1 IQ PIC.
ce1: Channelized E1 IQ Configured on the Channelized E1 IQ PIC or Channelized
STM-1 IQ PIC.
ct1: Channelized T1 IQ Configured on the Channelized DS-3 IQ PIC or
Channelized OC-12 IQ PIC.
ct3: Channelized T3 IQ Configured on the Channelized DS-3 IQ PIC or
Channelized OC-12 IQ PIC.
cp: Collector Configured on the Monitoring Services II PIC.
ds: DS-0 Configured on the Channelized DS-3 to DS-0 PIC, Channelized E1 PIC, Channelized OC-12 IQ PIC
dsc: Discard Allows you to identify the ingress point of a denial-of-service (DoS) attack.
e1: E1 Includes the channelized STM-1 to E1 interfaces.
e3: E3 Includes the E3 IQ interfaces.
es: Encryption Allows you to configure a security association (SA) name
with a logical interface.
fe: Fast Ethernet 100Base-TX (Fast Ethernet, 100 Mbps).
fxp0: Management and internal Ethernet The management Ethernet interface is an out-of-bandmanagement interface within the routing platform.
fxp1: Interface that connects the routing engine and packet forwarding engine.
ge: Gigabit Ethernet Includes Gigabit Ethernet IQ interfaces.
gr: Generic Route Encapsulation tunnel Allows you to configure a unicast tunnel using GRE
encapsulation.
gre: Internally generated This interface is internally generated and is not
configurable.
ip: IP-over-IP encapsulation tunnel Allows you to configure a unicast tunnel using IP-IP
encapsulation.
ipip: Internally generated This interface is internally generated and is not
configurable.
lo Loopback This interface is internally generated. The logical
interface lo0.16383 is a non-configurable interface for routing platform control traffic.
ls: Link services Supports bundles that contain links.
lsi: Internally generated This interface is internally generated and is not
configurable.
ml: Multilink Includes Multilink Frame Relay and Multilink PPP.
mo: Monitoring services Includes the monitoring services and monitoring services
II interfaces. The logical interface mo-fpc/pic/port.16383 is an internally generated, non-configurable interface for routing platform control traffic.
mt: Multicast tunnel Internal routing platform interface for VPNs.
mtun: Internally generated This interface is internally generated and is not
configurable.
me0: – out of band management interface on ex switches
oc3: OC-3 IQ Configured on the Channelized OC-12 IQ PIC.
pe: This interface is present on the first-hop routing platform. Encapsulates packets destined for the rendezvous point (RP) routing platform.
pd: This interface is present on the RP De-encapsulates packets at the RP.
pimd: Internally generated This interface is internally generated and is not
configurable.
pime: Internally generated This interface is internally generated and is not
configurable.
rlsq: – a redundant bundle interface, made of two or more lsq interface. If you have redundant AS Pics.
se: Serial Includes the EIA-530, V.35, and X.21 interfaces.
so: SONET/SDH Both are widely used methods for very high speed
transmission of voice and data signals across the numerous world-wide fiber-optic networks.
sp: Adaptive services The logical interface sp-fpc/pic/port.16383 is an
internally generated, non-configurable interface for routing platform control traffic.
t1: T1 Includes the channelized DS-3 to DS-1 interfaces.
t3: T3 Includes the channelized OC-12 to DS-3 interfaces.
tap: Internally generated This interface is internally generated and is not
configurable.
vcp: – virtual chassis interface (EX4200 only)
vsp: Voice services The Adaptive Services (AS) Physical Interface Card (PIC)
supports the compressed real-time transport protocol (RTP) on this interface.
vt: Virtual loopback tunnel On routing platforms equipped with a Tunnel PIC,
enables egress filtering.
xe: – 1GE optical interface on ex switches

Juniper reference:
http://www.juniper.net/techpubs/software/nog/nog-interfaces/download/nog-interfaces.pdf

(more…)

Tags: ge, interfaces, Juniper, junos, t1, t3, tap, xe
Posted in Juniper | 2 Comments »
Juniper Tacacs & Rancid

Short howto on Configure Tacacs+ and Rancid on Juniper.

Download Tacacs from : ftp://ftp.shrubbery.net/pub/tac_plus/ also you will need tcp_wrappers for tac_plus to work.

Install tcp_wrappers and tacacs

yum install -y tcp_wrappers
yum install -y tcp_wrappers-devel
yum install -y tcp_wrappers-libs
Download ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.15.tar.gz
tar zxvf tacacs+-F4.0.4.15.tar.gz
cd tacacs+-F4.0.4.15
./configure
make
make install

Setup tacacs.conf

key = “secretkey”
accounting file = /var/log/tac_plus
acl = HomeNet {
permit = 10.2.2.1
}
user = rancid {
default service = permit
login = cleartext mypass
enable = cleartext mypass
service = junos-exec {
local-user-name = operations
}
}
user = giany {
default service = permit
login = cleartext mypass
enable = cleartext mypass
service = junos-exec {
local-user-name = operations
}

}

Configure Juniper Tacacs

set system authentication-order [ tacplus password ]

set system tacplus-server 10.2.2.1 secret secretkey
set system accounting events login
set system accounting events interactive-commands
set system accounting destination tacplus
set system login class network permissions network
set system login class network permissions view
set system login user operations full-name “Users with Full Access”
set system login user operations uid 9999
set system login user operations class super-user
set system login user operations authentication encrypted-password “xxx”
set system login user restricted full-name “Restricted”
set system login user restricted uid 2000
set system login user restricted class read-only
set system login user restricted authentication encrypted-password “xxx”

RANCID

# adduser rancid
Download ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.1.tar.gz
# tar zxvf rancid-2.3.1.tar.gz
# cd rancid-2.3.1
# ./configure –prefix=/home/rancid
# su – rancid
# set CVSROOT /home/rancid/var/CVS
# cvs init
# rancid-cvs

.cloginrc

add method 10.2.2.2 ssh

add method 10.100.100.1 ssh
add user olive rancid
add user cisco rancid
add password olive {mypass} {mypass}
add password cisco {mypass} {mypass}

Debug

[rancid@box ~]$ clogin cisco
cisco
spawn ssh -c 3des -x -l rancid cisco
rancid@cisco’s password:
Corp:2>enable
Password:
Corp:2#

[rancid@box ~]$ jlogin olive
olive
spawn ssh -c 3des -x -l rancid olive

WARNING: You are being watched.
rancid@olive’s password:
— JUNOS 7.4R2.6 built 2006-01-20 14:27:46 UTC
rancid@olive.x83.net>

# tail -f /var/log/tac_plus

Mon Aug 4 16:20:37 2008 10.2.2.2 rancid ttyp0 olive.x83.net stop task_id=1 service=shell elapsed_time=263 process*mgd[7038] cmd=logout
Mon Aug 4 16:26:15 2008 10.100.100.1 rancid tty2 10.100.100.100 start task_id=58 timezone=UTC service=shell
Mon Aug 4 16:26:43 2008 10.100.100.1 rancid tty2 10.100.100.100 stop task_id=58 timezone=UTC service=shell disc-cause=1 disc-cause-ext=1020 connect-progress=101 elapsed_time=28 nas-rx-speed=0 nas-tx-speed=0
Mon Aug 4 16:26:56 2008 10.2.2.2 rancid ttyp0 olive.x83.net start task_id=1 service=shell process*mgd[7045] cmd=login
Mon Aug 4 16:27:03 2008 10.2.2.2 rancid ttyp0 olive.x83.net stop task_id=1 service=shell elapsed_time=8 process*mgd[7045] cmd=logout
Mon Aug 4 16:27:15 2008 10.2.2.2 rancid ttyp0 olive.x83.net start task_id=1 service=shell process*mgd[7049] cmd=login

Set idle-timeout so after a while a user will get disconnect:

login
class admin {
idle-timeout 4;
permissions all;
}
user test {
class admin
}

On terminal you will get smth like that:

test@br0> Warning: session will be closed in 1 minute if there is no activity
Warning: session will be closed in 10 seconds if there is no activity
Idle timeout exceeded: closing session
Connection closed by foreign host.

Tags: authentication-order, Juniper, rancid, tacacs, tacplus, tac_plus, wiki
Posted in Juniper | 1 Comment »

Detect transient routes Juniper

oper@re> show route extensive 10.10.195.25

inet.0: 24 destinations, 25 routes (23 active, 0 holddown, 1 hidden)
10.10.195.0/24 (1 entry, 1 announced)
TSI:
KRT in-kernel 10.10.195.0/24/30 -> {10.10.4.3}
         *BGP    Preference: 170/-101
                 Next hop type: Router, Next hop index: '''453'''
<<<<<<<<<<<<<<<<<<<<
                 Next-hop reference count: 9
                 Source: 10.10.4.3
                 Next hop: 10.10.4.3 via t2-1/0/1:0.0, selected
                 State: 
                 Local AS: 65101 Peer AS: 65000
                 Age: 4:19:18
                 Task: BGP_65000.10.10.4.3+179
                 Announcement bits (1): 0-KRT
                 AS path: 65000 65001 I
                 Communities: target:65000:1 src-as:65000:0 rt-import:
10.128.128.3:5
                 Accepted
                 Localpref: 100
                 Router ID: 10.10.0.1

oper@re> start shell pfe network feb

SBR platform (266Mhz PPC 603e processor, 32MB memory, 512KB flash)

SBR(fire vty)# show nhdb id '''453'''
    ID      Type      Interface    Next Hop Addr    Protocol
Encap     MTU
-----  --------  -------------  ---------------  ----------
------------  ----
   453   Unicast  t1-1/0/2:0.0   10.10.4.0           IPv4
PPP  1203

Tags: detect, extensive, Juniper, pfe, transient
Posted in Juniper | No Comments »

Install SX Cards

If you install a GigE SX Card into a FPC slot issue :

request chassis pic fpc-slot 1 pic-slot 2 online

Tags: fpc, request, request chassis, sx cards
Posted in Juniper | No Comments »

Eject users Juniper

Lets say you want to logout (kick) an user out:

rancid@br0> show system users
11:23PM  up 1 day, 19 mins, 3 users, load averages: 0.07, 0.02, 0.00
USER     TTY      FROM                              LOGIN@  IDLE WHAT
root     d0       -                                3:23PM   4:59 -csh (csh)
rancid   p0       10.0.1.254                       8:55PM      - -cli (cli)
test     p1       10.0.1.254                       11:23PM     - -cli (cli)    

rancid@br0> request system logout user test

And test will see:

--- JUNOS 8.5R3.4 built 2008-04-24 03:40:14 UTC
test@br0> Connection closed by foreign host.

Tags: eject, kick, logout, users
Posted in Juniper | No Comments »

Restrict VTY access Juniper
Restricting remote access to your RE. The ideea is to allow remote logins via ssh or telnet.
I want only one host from a specific ip to do remote SSH, the rest will be rejected.
”’!!! Warning!!!”’
You need to understand that if you dont configure well you might stop all traffic from being forwarded through your RE.

First you will use a term to set the host from where you will use ssh and then reject the rest. The second term is to allow all traffic pass through your core.

lo0 { description "br0 loopback"; unit 0 { family inet { filter { input re-filter; } address 127.0.0.1/32; address 172.16.9.1/32 { primary; } } } }

And then the policy filter:

filter lo-filter { term ssh { from { source-address { 10.0.1.254/32 except; } destination-port ssh; } then { discard } } term no-ssh { then { accept } } }
Tags: Juniper, restrict, vty
Posted in Juniper | No Comments »

x83.net Cloud consulting & support

Category: Juniper

x83.net Cloud consulting & support