Copyright © 2011 x83.net. All rights reserved.
Interfaces
ae: Aggregated Ethernet A virtual aggregated link.
as: Aggregated SONET/SDH A virtual aggregated link.
at: ATM1 or ATM2 IQ Asynchronous Transfer Mode
cau4: Channelized AU-4 IQ Configured on the Channelized STM-1 IQ PIC.
coc1: Channelized OC-1 IQ Configured on the Channelized OC-12 IQ PIC.
coc12: Channelized OC-12 IQ Configured on the Channelized OC-12 IQ PIC.
cstm1: Channelized STM-1 IQ Configured on the Channelized STM-1 IQ PIC.
ce1: Channelized E1 IQ Configured on the Channelized E1 IQ PIC or Channelized
STM-1 IQ PIC.
ct1: Channelized T1 IQ Configured on the Channelized DS-3 IQ PIC or
Channelized OC-12 IQ PIC.
ct3: Channelized T3 IQ Configured on the Channelized DS-3 IQ PIC or
Channelized OC-12 IQ PIC.
cp: Collector Configured on the Monitoring Services II PIC.
ds: DS-0 Configured on the Channelized DS-3 to DS-0 PIC, Channelized E1 PIC, Channelized OC-12 IQ PIC
dsc: Discard Allows you to identify the ingress point of a denial-of-service (DoS) attack.
e1: E1 Includes the channelized STM-1 to E1 interfaces.
e3: E3 Includes the E3 IQ interfaces.
es: Encryption Allows you to configure a security association (SA) name
with a logical interface.
fe: Fast Ethernet 100Base-TX (Fast Ethernet, 100 Mbps).
fxp0: Management and internal Ethernet The management Ethernet interface is an out-of-bandmanagement interface within the routing platform.
fxp1: Interface that connects the routing engine and packet forwarding engine.
ge: Gigabit Ethernet Includes Gigabit Ethernet IQ interfaces.
gr: Generic Route Encapsulation tunnel Allows you to configure a unicast tunnel using GRE
encapsulation.
gre: Internally generated This interface is internally generated and is not
configurable.
ip: IP-over-IP encapsulation tunnel Allows you to configure a unicast tunnel using IP-IP
encapsulation.
ipip: Internally generated This interface is internally generated and is not
configurable.
lo Loopback This interface is internally generated. The logical
interface lo0.16383 is a non-configurable interface for routing platform control traffic.
ls: Link services Supports bundles that contain links.
lsi: Internally generated This interface is internally generated and is not
configurable.
ml: Multilink Includes Multilink Frame Relay and Multilink PPP.
mo: Monitoring services Includes the monitoring services and monitoring services
II interfaces. The logical interface mo-fpc/pic/port.16383 is an internally generated, non-configurable interface for routing platform control traffic.
mt: Multicast tunnel Internal routing platform interface for VPNs.
mtun: Internally generated This interface is internally generated and is not
configurable.
me0: – out of band management interface on ex switches
oc3: OC-3 IQ Configured on the Channelized OC-12 IQ PIC.
pe: This interface is present on the first-hop routing platform. Encapsulates packets destined for the rendezvous point (RP) routing platform.
pd: This interface is present on the RP De-encapsulates packets at the RP.
pimd: Internally generated This interface is internally generated and is not
configurable.
pime: Internally generated This interface is internally generated and is not
configurable.
rlsq: – a redundant bundle interface, made of two or more lsq interface. If you have redundant AS Pics.
se: Serial Includes the EIA-530, V.35, and X.21 interfaces.
so: SONET/SDH Both are widely used methods for very high speed
transmission of voice and data signals across the numerous world-wide fiber-optic networks.
sp: Adaptive services The logical interface sp-fpc/pic/port.16383 is an
internally generated, non-configurable interface for routing platform control traffic.
t1: T1 Includes the channelized DS-3 to DS-1 interfaces.
t3: T3 Includes the channelized OC-12 to DS-3 interfaces.
tap: Internally generated This interface is internally generated and is not
configurable.
vcp: – virtual chassis interface (EX4200 only)
vsp: Voice services The Adaptive Services (AS) Physical Interface Card (PIC)
supports the compressed real-time transport protocol (RTP) on this interface.
vt: Virtual loopback tunnel On routing platforms equipped with a Tunnel PIC,
enables egress filtering.
xe: – 1GE optical interface on ex switches
Juniper reference:
http://www.juniper.net/techpubs/software/nog/nog-interfaces/download/nog-interfaces.pdf
Short howto on Configure Tacacs+ and Rancid on Juniper.
Download Tacacs from : ftp://ftp.shrubbery.net/pub/tac_plus/ also you will need tcp_wrappers for tac_plus to work.
Install tcp_wrappers and tacacs
yum install -y tcp_wrappers
yum install -y tcp_wrappers-devel
yum install -y tcp_wrappers-libs
Download ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.15.tar.gz
tar zxvf tacacs+-F4.0.4.15.tar.gz
cd tacacs+-F4.0.4.15
./configure
make
make install
Setup tacacs.conf
key = “secretkey”
accounting file = /var/log/tac_plus
acl = HomeNet {
permit = 10.2.2.1
}
user = rancid {
default service = permit
login = cleartext mypass
enable = cleartext mypass
service = junos-exec {
local-user-name = operations
}
}
user = giany {
default service = permit
login = cleartext mypass
enable = cleartext mypass
service = junos-exec {
local-user-name = operations
}}
Configure Juniper Tacacs
set system authentication-order [ tacplus password ]
set system tacplus-server 10.2.2.1 secret secretkey
set system accounting events login
set system accounting events interactive-commands
set system accounting destination tacplus
set system login class network permissions network
set system login class network permissions view
set system login user operations full-name “Users with Full Access”
set system login user operations uid 9999
set system login user operations class super-user
set system login user operations authentication encrypted-password “xxx”
set system login user restricted full-name “Restricted”
set system login user restricted uid 2000
set system login user restricted class read-only
set system login user restricted authentication encrypted-password “xxx”
RANCID
# adduser rancid
Download ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.1.tar.gz
# tar zxvf rancid-2.3.1.tar.gz
# cd rancid-2.3.1
# ./configure –prefix=/home/rancid
# su – rancid
# set CVSROOT /home/rancid/var/CVS
# cvs init
# rancid-cvs
.cloginrc
add method 10.2.2.2 ssh
add method 10.100.100.1 ssh
add user olive rancid
add user cisco rancid
add password olive {mypass} {mypass}
add password cisco {mypass} {mypass}
Debug
[rancid@box ~]$ clogin cisco
cisco
spawn ssh -c 3des -x -l rancid cisco
rancid@cisco’s password:
Corp:2>enable
Password:
Corp:2#[rancid@box ~]$ jlogin olive
olive
spawn ssh -c 3des -x -l rancid oliveWARNING: You are being watched.
rancid@olive’s password:
— JUNOS 7.4R2.6 built 2006-01-20 14:27:46 UTC
rancid@olive.x83.net>
# tail -f /var/log/tac_plus
Mon Aug 4 16:20:37 2008 10.2.2.2 rancid ttyp0 olive.x83.net stop task_id=1 service=shell elapsed_time=263 process*mgd[7038] cmd=logout
Mon Aug 4 16:26:15 2008 10.100.100.1 rancid tty2 10.100.100.100 start task_id=58 timezone=UTC service=shell
Mon Aug 4 16:26:43 2008 10.100.100.1 rancid tty2 10.100.100.100 stop task_id=58 timezone=UTC service=shell disc-cause=1 disc-cause-ext=1020 connect-progress=101 elapsed_time=28 nas-rx-speed=0 nas-tx-speed=0
Mon Aug 4 16:26:56 2008 10.2.2.2 rancid ttyp0 olive.x83.net start task_id=1 service=shell process*mgd[7045] cmd=login
Mon Aug 4 16:27:03 2008 10.2.2.2 rancid ttyp0 olive.x83.net stop task_id=1 service=shell elapsed_time=8 process*mgd[7045] cmd=logout
Mon Aug 4 16:27:15 2008 10.2.2.2 rancid ttyp0 olive.x83.net start task_id=1 service=shell process*mgd[7049] cmd=login
Set idle-timeout so after a while a user will get disconnect:
login
class admin {
idle-timeout 4;
permissions all;
}
user test {
class admin
}
On terminal you will get smth like that:
test@br0> Warning: session will be closed in 1 minute if there is no activity
Warning: session will be closed in 10 seconds if there is no activity
Idle timeout exceeded: closing session
Connection closed by foreign host.
oper@re> show route extensive 10.10.195.25
inet.0: 24 destinations, 25 routes (23 active, 0 holddown, 1 hidden)
10.10.195.0/24 (1 entry, 1 announced)
TSI:
KRT in-kernel 10.10.195.0/24/30 -> {10.10.4.3}
*BGP Preference: 170/-101
Next hop type: Router, Next hop index: '''453'''
<<<<<<<<<<<<<<<<<<<<
Next-hop reference count: 9
Source: 10.10.4.3
Next hop: 10.10.4.3 via t2-1/0/1:0.0, selected
State:
Local AS: 65101 Peer AS: 65000
Age: 4:19:18
Task: BGP_65000.10.10.4.3+179
Announcement bits (1): 0-KRT
AS path: 65000 65001 I
Communities: target:65000:1 src-as:65000:0 rt-import:
10.128.128.3:5
Accepted
Localpref: 100
Router ID: 10.10.0.1
oper@re> start shell pfe network feb
SBR platform (266Mhz PPC 603e processor, 32MB memory, 512KB flash)
SBR(fire vty)# show nhdb id '''453'''
ID Type Interface Next Hop Addr Protocol
Encap MTU
----- -------- ------------- --------------- ----------
------------ ----
453 Unicast t1-1/0/2:0.0 10.10.4.0 IPv4
PPP 1203
If you install a GigE SX Card into a FPC slot issue :
request chassis pic fpc-slot 1 pic-slot 2 online
Lets say you want to logout (kick) an user out:
rancid@br0> show system users 11:23PM up 1 day, 19 mins, 3 users, load averages: 0.07, 0.02, 0.00 USER TTY FROM LOGIN@ IDLE WHAT root d0 - 3:23PM 4:59 -csh (csh) rancid p0 10.0.1.254 8:55PM - -cli (cli) test p1 10.0.1.254 11:23PM - -cli (cli) rancid@br0> request system logout user test
And test will see:
--- JUNOS 8.5R3.4 built 2008-04-24 03:40:14 UTC test@br0> Connection closed by foreign host.
Restricting remote access to your RE. The ideea is to allow remote logins via ssh or telnet.
I want only one host from a specific ip to do remote SSH, the rest will be rejected.
”’!!! Warning!!!”’
You need to understand that if you dont configure well you might stop all traffic from being forwarded through your RE.
First you will use a term to set the host from where you will use ssh and then reject the rest. The second term is to allow all traffic pass through your core.
lo0 {
description "br0 loopback";
unit 0 {
family inet {
filter {
input re-filter;
}
address 127.0.0.1/32;
address 172.16.9.1/32 {
primary;
}
}
}
}
And then the policy filter:
filter lo-filter {
term ssh {
from {
source-address {
10.0.1.254/32 except;
}
destination-port ssh;
}
then {
discard
}
}
term no-ssh {
then {
accept
}
}
}