AS-path filtering

Monday, June 22nd, 2009

Cisco way:

ip as-path access-list 1 deny _1234$
ip as-path access-list 1 deny _5678$
ip as-path access-list 1 permit .*

router bgp 100
neighbor 192.168.0.1 remote-as 200
neighbor 192.168.0.1 des ebgp-test
neighbor 192.168.0.1 filter-list 1 in

Juniper way:

protocols {
bgp {
group “ebgp-test” {
type external;
import test-in;
peer-as 200;
neighbor 192.168.0.1 {
}
}
policy-options {
policy-statement test {
from as-path [test test1];
then reject;
}
set policy-options as-path a “.*1234″
set policy-options as-path b “.*5678″
}

Juniper Interfaces names

Thursday, June 18th, 2009

Interfaces

ae: Aggregated Ethernet A virtual aggregated link.
as: Aggregated SONET/SDH A virtual aggregated link.
at: ATM1 or ATM2 IQ Asynchronous Transfer Mode
cau4: Channelized AU-4 IQ Configured on the Channelized STM-1 IQ PIC.
coc1: Channelized OC-1 IQ Configured on the Channelized OC-12 IQ PIC.
coc12: Channelized OC-12 IQ Configured on the Channelized OC-12 IQ PIC.
cstm1: Channelized STM-1 IQ Configured on the Channelized STM-1 IQ PIC.
ce1: Channelized E1 IQ Configured on the Channelized E1 IQ PIC or Channelized
STM-1 IQ PIC.
ct1: Channelized T1 IQ Configured on the Channelized DS-3 IQ PIC or
Channelized OC-12 IQ PIC.
ct3: Channelized T3 IQ Configured on the Channelized DS-3 IQ PIC or
Channelized OC-12 IQ PIC.
cp: Collector Configured on the Monitoring Services II PIC.
ds: DS-0 Configured on the Channelized DS-3 to DS-0 PIC, Channelized E1 PIC, Channelized OC-12 IQ PIC
dsc: Discard Allows you to identify the ingress point of a denial-of-service (DoS) attack.
e1: E1 Includes the channelized STM-1 to E1 interfaces.
e3: E3 Includes the E3 IQ interfaces.
es: Encryption Allows you to configure a security association (SA) name
with a logical interface.
fe: Fast Ethernet 100Base-TX (Fast Ethernet, 100 Mbps).
fxp0: Management and internal Ethernet The management Ethernet interface is an out-of-bandmanagement interface within the routing platform.
fxp1: Interface that connects the routing engine and packet forwarding engine.
ge: Gigabit Ethernet Includes Gigabit Ethernet IQ interfaces.
gr: Generic Route Encapsulation tunnel Allows you to configure a unicast tunnel using GRE
encapsulation.
gre: Internally generated This interface is internally generated and is not
configurable.
ip: IP-over-IP encapsulation tunnel Allows you to configure a unicast tunnel using IP-IP
encapsulation.
ipip: Internally generated This interface is internally generated and is not
configurable.
lo Loopback This interface is internally generated. The logical
interface lo0.16383 is a non-configurable interface for routing platform control traffic.
ls: Link services Supports bundles that contain links.
lsi: Internally generated This interface is internally generated and is not
configurable.
ml: Multilink Includes Multilink Frame Relay and Multilink PPP.
mo: Monitoring services Includes the monitoring services and monitoring services
II interfaces. The logical interface mo-fpc/pic/port.16383 is an internally generated, non-configurable interface for routing platform control traffic.
mt: Multicast tunnel Internal routing platform interface for VPNs.
mtun: Internally generated This interface is internally generated and is not
configurable.
me0: – out of band management interface on ex switches
oc3: OC-3 IQ Configured on the Channelized OC-12 IQ PIC.
pe: This interface is present on the first-hop routing platform. Encapsulates packets destined for the rendezvous point (RP) routing platform.
pd: This interface is present on the RP De-encapsulates packets at the RP.
pimd: Internally generated This interface is internally generated and is not
configurable.
pime: Internally generated This interface is internally generated and is not
configurable.
rlsq: – a redundant bundle interface, made of two or more lsq interface. If you have redundant AS Pics.
se: Serial Includes the EIA-530, V.35, and X.21 interfaces.
so: SONET/SDH Both are widely used methods for very high speed
transmission of voice and data signals across the numerous world-wide fiber-optic networks.
sp: Adaptive services The logical interface sp-fpc/pic/port.16383 is an
internally generated, non-configurable interface for routing platform control traffic.
t1: T1 Includes the channelized DS-3 to DS-1 interfaces.
t3: T3 Includes the channelized OC-12 to DS-3 interfaces.
tap: Internally generated This interface is internally generated and is not
configurable.
vcp: – virtual chassis interface (EX4200 only)
vsp: Voice services The Adaptive Services (AS) Physical Interface Card (PIC)
supports the compressed real-time transport protocol (RTP) on this interface.
vt: Virtual loopback tunnel On routing platforms equipped with a Tunnel PIC,
enables egress filtering.
xe: – 1GE optical interface on ex switches

Juniper reference:
http://www.juniper.net/techpubs/software/nog/nog-interfaces/download/nog-interfaces.pdf

(more…)

Juniper Tacacs & Rancid

Sunday, June 14th, 2009

Short howto on Configure Tacacs+ and Rancid on Juniper.

Download Tacacs from : ftp://ftp.shrubbery.net/pub/tac_plus/ also you will need tcp_wrappers for tac_plus to work.

Install tcp_wrappers and tacacs

yum install -y tcp_wrappers
yum install -y tcp_wrappers-devel
yum install -y tcp_wrappers-libs
Download ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.15.tar.gz
tar zxvf tacacs+-F4.0.4.15.tar.gz
cd tacacs+-F4.0.4.15
./configure
make
make install

Setup tacacs.conf

key = “secretkey”
accounting file = /var/log/tac_plus
acl = HomeNet {
permit = 10.2.2.1
}
user = rancid {
default service = permit
login = cleartext mypass
enable = cleartext mypass
service = junos-exec {
local-user-name = operations
}
}
user = giany {
default service = permit
login = cleartext mypass
enable = cleartext mypass
service = junos-exec {
local-user-name = operations
}

}

Configure Juniper Tacacs

set system authentication-order [ tacplus password ]

set system tacplus-server 10.2.2.1 secret secretkey
set system accounting events login
set system accounting events interactive-commands
set system accounting destination tacplus
set system login class network permissions network
set system login class network permissions view
set system login user operations full-name “Users with Full Access”
set system login user operations uid 9999
set system login user operations class super-user
set system login user operations authentication encrypted-password “xxx”
set system login user restricted full-name “Restricted”
set system login user restricted uid 2000
set system login user restricted class read-only
set system login user restricted authentication encrypted-password “xxx”

RANCID

# adduser rancid
Download ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.1.tar.gz
# tar zxvf rancid-2.3.1.tar.gz
# cd rancid-2.3.1
# ./configure –prefix=/home/rancid
# su – rancid
# set CVSROOT /home/rancid/var/CVS
# cvs init
# rancid-cvs

.cloginrc

add method 10.2.2.2 ssh

add method 10.100.100.1 ssh
add user olive rancid
add user cisco rancid
add password olive {mypass} {mypass}
add password cisco {mypass} {mypass}

Debug

[rancid@box ~]$ clogin cisco
cisco
spawn ssh -c 3des -x -l rancid cisco
rancid@cisco’s password:
Corp:2>enable
Password:
Corp:2#

[rancid@box ~]$ jlogin olive
olive
spawn ssh -c 3des -x -l rancid olive

WARNING: You are being watched.
rancid@olive’s password:
— JUNOS 7.4R2.6 built 2006-01-20 14:27:46 UTC
rancid@olive.x83.net>

# tail -f /var/log/tac_plus

Mon Aug 4 16:20:37 2008 10.2.2.2 rancid ttyp0 olive.x83.net stop task_id=1 service=shell elapsed_time=263 process*mgd[7038] cmd=logout
Mon Aug 4 16:26:15 2008 10.100.100.1 rancid tty2 10.100.100.100 start task_id=58 timezone=UTC service=shell
Mon Aug 4 16:26:43 2008 10.100.100.1 rancid tty2 10.100.100.100 stop task_id=58 timezone=UTC service=shell disc-cause=1 disc-cause-ext=1020 connect-progress=101 elapsed_time=28 nas-rx-speed=0 nas-tx-speed=0
Mon Aug 4 16:26:56 2008 10.2.2.2 rancid ttyp0 olive.x83.net start task_id=1 service=shell process*mgd[7045] cmd=login
Mon Aug 4 16:27:03 2008 10.2.2.2 rancid ttyp0 olive.x83.net stop task_id=1 service=shell elapsed_time=8 process*mgd[7045] cmd=logout
Mon Aug 4 16:27:15 2008 10.2.2.2 rancid ttyp0 olive.x83.net start task_id=1 service=shell process*mgd[7049] cmd=login

Set idle-timeout so after a while a user will get disconnect:

login
class admin {
idle-timeout 4;
permissions all;
}
user test {
class admin
}

On terminal you will get smth like that:

test@br0> Warning: session will be closed in 1 minute if there is no activity
Warning: session will be closed in 10 seconds if there is no activity
Idle timeout exceeded: closing session
Connection closed by foreign host.

Detect transient routes Juniper

Saturday, June 13th, 2009
oper@re> show route extensive 10.10.195.25

inet.0: 24 destinations, 25 routes (23 active, 0 holddown, 1 hidden)
10.10.195.0/24 (1 entry, 1 announced)
TSI:
KRT in-kernel 10.10.195.0/24/30 -> {10.10.4.3}
         *BGP    Preference: 170/-101
                 Next hop type: Router, Next hop index: '''453'''
<<<<<<<<<<<<<<<<<<<<
                 Next-hop reference count: 9
                 Source: 10.10.4.3
                 Next hop: 10.10.4.3 via t2-1/0/1:0.0, selected
                 State: 
                 Local AS: 65101 Peer AS: 65000
                 Age: 4:19:18
                 Task: BGP_65000.10.10.4.3+179
                 Announcement bits (1): 0-KRT
                 AS path: 65000 65001 I
                 Communities: target:65000:1 src-as:65000:0 rt-import:
10.128.128.3:5
                 Accepted
                 Localpref: 100
                 Router ID: 10.10.0.1
oper@re> start shell pfe network feb

SBR platform (266Mhz PPC 603e processor, 32MB memory, 512KB flash)

SBR(fire vty)# show nhdb id '''453'''
    ID      Type      Interface    Next Hop Addr    Protocol
Encap     MTU
-----  --------  -------------  ---------------  ----------
------------  ----
   453   Unicast  t1-1/0/2:0.0   10.10.4.0           IPv4
PPP  1203

Install SX Cards

Saturday, June 13th, 2009

If you install a GigE SX Card into a FPC slot issue :

request chassis pic fpc-slot 1 pic-slot 2 online

Eject users Juniper

Saturday, June 13th, 2009

Lets say you want to logout (kick) an user out:

rancid@br0> show system users
11:23PM  up 1 day, 19 mins, 3 users, load averages: 0.07, 0.02, 0.00
USER     TTY      FROM                              LOGIN@  IDLE WHAT
root     d0       -                                3:23PM   4:59 -csh (csh)
rancid   p0       10.0.1.254                       8:55PM      - -cli (cli)
test     p1       10.0.1.254                       11:23PM     - -cli (cli)    

rancid@br0> request system logout user test

And test will see:

--- JUNOS 8.5R3.4 built 2008-04-24 03:40:14 UTC
test@br0> Connection closed by foreign host.

Restrict VTY access Juniper

Saturday, June 13th, 2009

Restricting remote access to your RE. The ideea is to allow remote logins via ssh or telnet.
I want only one host from a specific ip to do remote SSH, the rest will be rejected.
”’!!! Warning!!!”’
You need to understand that if you dont configure well you might stop all traffic from being forwarded through your RE.

First you will use a term to set the host from where you will use ssh and then reject the rest. The second term is to allow all traffic pass through your core.

lo0 {
    description "br0 loopback";
    unit 0 {
        family inet {
            filter {
                    input re-filter;
            }
            address 127.0.0.1/32;
            address 172.16.9.1/32 {
                primary;
            }
        }
    }
}

And then the policy filter:

filter lo-filter {
    term ssh {
        from {
            source-address {
            10.0.1.254/32 except;
             }
            destination-port ssh;
        }
        then {
            discard
        }
    }
    term no-ssh {
         then {
             accept
          }
    }
} 

Redistribute route Juniper

Saturday, June 13th, 2009

Lets say you have set some dynamic routing (RIP,OSPF,BGP,IS-IS..) and you want to redistribute routes into them.

redistribute connected

set policy-options policy-statement Connected
    term connected {
        from protocol direct;
        then accept;
}

redistribute static

set policy-options policy-statement Static
    term static {
        from protocol static;
        then accept;
}

redistribute local

set policy-options policy-statement Local
    term local {
        from protocol local;
        then accept;
}

reject anything else

term else {
    then reject
}

And all the policy will look like:


policy-statement distribute-routes
    term connected {
        from protocol direct;
        then accept;
    }
    term static {
        from protocol static;
        then accept;
    }
    term local {
        from protocol local;
        then accept;
    }
    term else {
        then reject
    }

It looks easy I guess..but what if you want to redistribute ospf routes?

redistribute ospf routes

If you are using OSPF for IGP and BGP as a EGP and you want to export ospf routes to BGP peers then you have to create a policy for that.
Smth like :

policy-statement ospf-routes {
    term 1 {
        from {
            protocol ospf;
            area 0.0.0.0;
        }
        then accept;
    }
    term 2 {
        then reject;
    }
}

send default route to bgp peer

Lets assume you want to send to send to a BGP peer 0.0.0.0/0 (default route).

First you need to have a route for 0.0.0.0/0 before you can export it to a peer. I guess this is the difference between the Juniper and Cisco configs, Cisco provides you a shortcut with the ‘default-originate’ keyword which does it all in one step. If you don’t have a route for 0.0.0.0/0 defined somewhere that is at least part of the problem.

First we generate the default route (if you dont have one yet) :

routing-options {
    generate {
        route 0.0.0.0/0 discard;
    }
}

then we create a policy for 0/0 :

policy-options {
    policy-statement default-originate {
        from {
            route-filter 0.0.0.0/0 exact;
        }
        then accept;
    }
}

A simple BGP neighbour will have smth like:

neighbor aaa.bbb.ccc.ddd {
    export default-originate;
}

OSPF Juniper

Saturday, June 13th, 2009

Ok..so same topology as for RIP. For interface configurations check : [[ Juniper RIP Howto ]]

Configuration

R1:

set protocols ospf area 0.0.0.0 interface fxp1.0

R2:

set protocols ospf area 0.0.0.0 interface fxp1.0
set protocols ospf area 0.0.0.0 interface fxp2.0

R3:

set protocols ospf area 0.0.0.0 interface fxp2.0
set protocols ospf area 0.0.0.0 interface fxp1.0
set protocols ospf area 0.0.0.0 interface fxp1.2

R4:

set protocols ospf area 0.0.0.0 interface fxp1.0
set protocols ospf area 0.0.0.0 interface fxp1.2

Debug

[root@box ~]# jlogin -c "show route" 10.0.1.1
spawn ssh -c 3des -x -l rancid 10.0.1.1
rancid@10.0.1.1's password:
--- JUNOS 8.5R3.4 built 2008-04-24 03:40:14 UTC
rancid@br0> 

rancid@br0> set cli complete-on-space off
Disabling complete-on-space

rancid@br0> set cli screen-length 0
Screen length set to 0

rancid@br0> show route 

inet.0: 11 destinations, 11 routes (10 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:26:09
                    > to 10.0.1.254 via fxp0.0
10.0.1.0/24        *[Direct/0] 00:26:10
                    > via fxp0.0
10.0.1.1/32        *[Local/0] 00:26:10
                      Local via fxp0.0
172.16.9.1/32      *[Direct/0] 00:26:10
                    > via lo0.0
192.168.5.0/30     *[Direct/0] 00:26:10
                    > via fxp1.0
192.168.5.1/32     *[Local/0] 00:26:10
                      Local via fxp1.0
192.168.6.0/30     *[OSPF/10] 00:12:51, metric 20               // routes from R3
                    > to 192.168.5.2 via fxp1.0
192.168.7.0/29     *[OSPF/10] 00:12:39, metric 30               // routes from R4
                    > to 192.168.5.2 via fxp1.0
192.168.8.0/29     *[OSPF/10] 00:12:39, metric 30               // routes from R4
                    > to 192.168.5.2 via fxp1.0
224.0.0.5/32       *[OSPF/10] 00:26:12, metric 1
                      MultiRecv

rancid@br0> quit
Connection to 10.0.1.1 closed.

As you can see R1 get the routes from R3 and R4. Also ping should work between this 4 routers.

[root@box ~]# jlogin -c "ping rapid 192.168.7.2" 10.0.1.1
spawn ssh -c 3des -x -l rancid 10.0.1.1
rancid@10.0.1.1's password:
--- JUNOS 8.5R3.4 built 2008-04-24 03:40:14 UTC
rancid@br0> 

rancid@br0> set cli complete-on-space off
Disabling complete-on-space

rancid@br0> set cli screen-length 0
Screen length set to 0

rancid@br0> ping rapid 192.168.7.2
PING 192.168.7.2 (192.168.7.2): 56 data bytes
!!!!!
--- 192.168.7.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 8.507/13.222/21.780/5.199 ms

rancid@br0> quit
Connection to 10.0.1.1 closed.

View ospf database:

rancid@br0> show ospf database
    OSPF link state database, Area 0.0.0.0
 Type       ID               Adv Rtr           Seq      Age  Opt  Cksum  Len
Router  *172.16.9.1       172.16.9.1       0x80000004   982  0x22 0xfa8   36
Router   172.16.9.2       172.16.9.2       0x80000008   971  0x22 0x783f  48
Router   172.16.9.3       172.16.9.3       0x80000009   972  0x22 0x872c  60
Router   172.16.9.4       172.16.9.4       0x80000004   976  0x22 0xe2cd  48
Network  192.168.5.2      172.16.9.2       0x80000001   983  0x22 0x175   32
Network  192.168.6.2      172.16.9.3       0x80000001   972  0x22 0x86a   32
Network  192.168.7.1      172.16.9.3       0x80000002   137  0x22 0x96a   32
Network  192.168.8.1      172.16.9.3       0x80000002   437  0x22 0xfd74  32

redistribute routes

Lets say we set on R1 a default route:

set routing-options static route 0.0.0.0/0 next-hop 10.0.1.254

And now you want to send a default route to the rest of the routers. First we need to create a policy statement
from protocol static. Of course you can match specific routes. Check [[ Redistribute routes ]] for details.

set policy-options policy-statement default-route term 1 from protocol static
set policy-options policy-statement default-route term 1 then accept

and then we export that statement into OSPF:

set protocols ospf export default-route

Routing table on R2 will look like:

rancid@R2> show route
0.0.0.0/0          *[OSPF/150] 00:25:16, metric 0, tag 0
                    > to 192.168.5.1 via fxp1.0

As you can see it recieves 0.0.0.0/0 via OSPF.

OSPF intro

Saturday, June 13th, 2009

As you probably know OSPF (Open Shortest Path First) is a link-state protocol. When a router begins operating on a network link, information associated with that logical network is added to its local link-state database .

The local router then sends Hello messages on its operational links to determine whether other link-state routers are operating on the interfaces as well. When a remote router is located, the local router attempts to form an adjacency.
This adjacency enables the two routers to advertise summary link-state database information to each other.

This exchange is not the actual detailed database information, but is truly a summary of the data. Each router evaluates the summary data against its local link-state database to verify that it has the most up-to-date information. Should one side of the adjacency realize that it requires an update, that router requests the new information from the adjacent router.
The update includes the actual data contained in the link-state database. This exchange process continues until both routers have identical link-state databases.

Each router uses the Dijkstra Algorithm to process the database information into a path to each destination in the network. Every link-state router uses the same algorithm to process its database, requiring each router to maintain consistent information to get the same results.

Common Packet Header
All OSPF packets share a common 24-octet header. This header allows the receiving router to determine whether the packet is valid and should be processed. The OSPF header fields includes the following:

Version (1 octet) This field details the current version of OSPF used by the local router. It is set to a value of 2, the default value. Type (1 octet) This field specifies the type of OSPF packet. Possible values include:

*1—Hello packet
*2—Database descriptor
*3—Link-state request
*4—Link-state update
*5—Link-state acknowledgment

Packet Length (2 octets)
This field displays the total length, in octets, of the OSPF packet.
Router ID (4 octets)
The router ID of the advertising router appears in this field.
Area ID (4 octets)
This field contains the 32-bit area ID assigned to the interface used to send
the OSPF packet.
Checksum (2 octets)
This field displays a standard IP checksum for the entire OSPF packet,
excluding the 64-bit authentication field.
Authentication Type (2 octets)
The specific type of authentication used by OSPF is encoded in this field. Possible values are:
*0—Null authentication
*1—Simple password
*2—MD5 cryptographic authentication

Authentication (8 octets)
This field displays the authentication data to verify the packet’s integrity.