JunOS Control Plane - Routing Engine (RE) Data Plane - Packet Forwarding Engine (PFE), a Forwarding table e uma copia da Forwarding table no RE Os pacotes com destino ao router sao processados pelo RE. Junos OS Modular Architecture - usa modulos diferentes independentes Operational | Configuration Mode dedicated Managemtn Interface fxp0 M routers me0 EX switches Todos os j series suportam management e transit traffic CLI Modes Operational Mode identificado pelo caracter > Configuration Mode identificado pelo caracter # Diferencas entre Brief and Terse sh int f0/0/0 br sh int f0/0/0 terse Configuration Mode Syntax {container} :leaf Configuration modes edit up x move x level na hierarquia, by default x=1 top vai para o top da hierarquia exit More Help help command-name help apropos help reference help syslog help tip help topic Separation of configuration edit and activation validation checks version control automated rollback candidate configuration ->commit->validated configuration ->active configuration configure private - permite q todos os users alterem em simultaneo a active config configure exclusive - proibe outros efetuarem alteracoes enquanto estiver ligado a box show command mostra a config candidate relativamente a hierarquia onde se esta inserido no momento Set Command from top set sytem services finger set sytem services ftp set sytem services ssh from sublevel set finger ser ftp set ssh delete remove os comandos da candidate config *atencao a hieraquia* compare compara a candidate e a active config + comandos a adicionar - comandos a remover commit check valida se o devide aceita a candidate config, sem a activar Commit -> commit complete (config activa no equipamento) commit confirmed espera por 10 minutos pelo segundo commit, caso contrario faz rollback a config ,para o estado anterior rollback apenas modifica a candidate config, n esquecer do commit rollback 0 - reset a candidate para a config atualmente ativa+ rollback n - n representa o numero da config ativa rollback rescue - load o rescue file previamente criado Fazer commit num determinado periodo router#commit at 02:00:00 copy command - permit copiar a hierarquia p.ex de uma interface rename - permite alterar o comando Usando o Pipe | count - conta o numeor de lines do output run coomand - permite executar comandos em config mode como se estivesse no Operational mode Junos Sytem Health Real-time Performance Monitoring (RPM) Flow accounting - cflowd Health monitor - RMON Junos Sytem Health Diagnostic system logging hardware and operating events Trace logging protocol operations snmp Routing tables as routing tables sao: inet.0 para IPV4 inet6.0 para IPV6 Predefined Routing tables inet.0 ipv4 unicast inet.1 multicast forwarding cache inet.2 usado para MBGP para permitir reverse path forwarding (RPF) checks inet.3 usado para MPLS path information inet.4 usado para MSDP routes inet6.0 Usado para IPv6 unicast mpls.0 usado para MPLS next hops Route preference = Administrative distance (cisco world) direct 0 local 0 static 5 ospf internal 10 rip 100 ospf AS external 150 bgp (both EBGP and IBGP) 170 show route forwarding-table existe uma entrada default para quando o prefix nao existe, notificando a source device com ICMP unreachable Default Routing Instance A tabela default unicast de nome master e inclui a tabel inet.0, podera tb incluir a inet6.0 show route instance User-Defined instances edit routing-instances new-instance show route table new-instace.inet.0 existem diversos tipos de instance: forwarding l2vpn no-forwarding virtual-router - system virtualization vpls - p2p ou p2-mp vrf - vpns Rotas estaticas adicionadas em routing-options O next-hop pode ser a opcao de bit bucket, as opcoes de discard/reject permite descartar o trafego discard faz drop silenciosamente (nao envia ICMP) reject envia ICMP unreachable Config static routing set routing-options static{ route 0.0.0.0/0 next-hop 172.30.25.1; route 172.28.102.0/24 { next-hop 10.210.11.190; no-readdvertise; } } O nex-hop deve ser directamente ligado, pq by default o JunOS nao faz lookups recursivos Pode ser usado diretamente o comando resolve Qualified Next hops Permite indicar a preferencia de uma rota (floating route) qualified-next-hop x.x.x.x { preference 7; } Config OSPF apartir da versao 8.x o Loop0/router-id e advertido automaticamente set protocols ospf set area 0 interface ge-0/0/1.{0} Se a unit nao for referenciada, o JunOS considera como 0 set area 0 interface ge-0/0/3.0 passive O JunOS converte a area 0 para o decimal 0.0.0.0 show area 0.0.0.0 { interface ge-0/0/1.0; interface ge-0/0/2.0; interface ge-0/0/3.0 { passive; } show ospf neighbor {detail,extensive} show route protocol ospf NETCONF XML Interface set system load patch terminal Em Operacional mode request system halt - reboot a box NTP Para o sistema sincronizar quando faz booting e necessario configurar o seguinte comnando: set system ntp boot-server 1.1.1.1 set system time-zone Europe/Lisbon Em OPer mode run set date ntp request system configuration rescue {save | delete} - efetua uma copia da actual config como rescue config rollback rescue - este comando apenas altera a candidate config Operational Mode: show system command arguments: • alarms: Displays current system alarms • boot-messages: Displays the messages seen during the last system boot • connections: Displays the status of local TCP and UDP connections • processes: Displays the system’s process table • statistics : Provides options for viewing various protocol statistics • storage: Displays the status of the file system storage space. show version detail (inclui as versoes das pacotes instalados) Junos Naming Convention Package-release-edition jroute-10.1R1.8-domestic-signed.tgz release: • Describes the Junos version • Includes major and minor release numbers, release type (R,B or I), build number and spin number edition: • Versions are either domestic-supporting strong encryption, or export-not supporting encryption • Federal Information Processing Standards (or FIPS) editions provide advanced network security the letter is an R to indicate that this is released software. If you are involved in testing prereleased software, this letter might be a B (for beta-level software) or I (for internal, test, or experimental versions of software). The release also includes a build and spin number for the Junos version. Here, the release is 9.5R1.8, which is version 9.5, which has been released, build 1, spin 8.-signed.tgz - Junos software is digitally signed and compressed using Secure Hash Algorithm (SHA-1) and Message Digest 5 (MD5) checksums. A package is installed only if the checksum within it matches the hash recorded in its corresponding file. The actual checksum used depends on the software version. Upgrading JunOS >reques system software add /var/tmp/jbundle-10.1R1.8-domestic.tgz reboot Commands Useful in Upgrading Software: • request system software add /var/tmp/ upgrades software • request system storage cleanup deletes images • show system storagedisplays compact-flash device storage details • request system software add /var/tmp/ reboot upgrades the software Password recovery Durante o processo de reboot pressionar o Space loader> boot -s (para boot em single user, similar em linux) Ao iniciar o sistem vai perguntar pelo recovery script, apenas e necessario digitar recovery, sendo que o sistema vai iniciar permitindo fazer login sem password Apos alterada a password, sair com 'exit' para fazer reboot Remover/Copiar Fciheiros root@R1# run file ? Possible completions: <[Enter]> Execute this command archive Archives files from the system checksum Calculate file checksum compare Compare files copy Copy files (local or remote) delete Delete files from the system list List file information rename Rename files show Show file contents source-address Local address to use in originating the connection | Pipe through a command root@R1# run file show /config/? Possible completions: <[Enter]> Execute this command Filename to show /config/juniper.conf.1.gz Size: 458, Last changed: May 24 19:58:53 /config/juniper.conf.2.gz Size: 454, Last changed: May 23 21:17:12 /config/juniper.conf.3.gz Size: 450, Last changed: May 23 15:03:46 /config/juniper.conf.gz Size: 452, Last changed: May 24 20:00:08 /config/juniper.conf.md5 Size: 32, Last changed: May 22 23:45:51 /config/rescue.conf.gz Size: 454, Last changed: May 24 19:57:27 ***********Introduction Junos OS (IJOS)**************** arquitectura: Routing Engine (RE)----link interno----Packet Forwarding Engine (PFE) O exception traffic e rate-limit no link interno protegendo o Control Plane de ataques Este rate-limit nao e configuravel, durante a congestao o JunOS da preferencia ao trafego local e de control destinado ao RE. Familia: M Multi-service ate 320 gbps half-duplex T ate 25 tbps J Series Services Routers ate 2 gbps,remote, branch Mx Series Ethernet Services Routers ate 960 gbps half-duplex EX Series switches ate 6.2 tbps full duplex SRX Series Services Gateways ate 120 gbps Spacebar Completion for Commands Esta activo por default Para desativar com base na sessao: user@router> set cli complete-on-space off Uso do | Pipe show | compare show | mat show | display set Movers-se entre hierarquias up x - sob x niveis na hierarquia, quando omitido e = 1 top - top hierarquico exit - sobe um nivel na hierarquia exit configuration-mode - sai do conf estando em qualquer hierarquia user@router# wildcard delete interfaces ge-1/* matched: ge-1/0/0 matched: ge-1/0/1 Delete 2 objects? [yes,no] (no) yes Comandos de ajuda na configuracao: rename - renomear um comando na configuracao, pex mudar o nome de uma interface replace pattern - mudar a config com base num padrao replace pattern em4 with em5 copy - copia a config de uma interface para outra activate deactivate - permite ignorar um comando na configuracao deactivate interfaces em4 activate interfaces em4 interfaces { inactive: em4 { unit 0 { family inet { address 192.168.1.1/24; } } } annotate - permite adicionar comentarios a configuracao annotate interfaces "n mudem interface" Commiting a Config commit - passa a candidate a active commit check - apenas valida a candidate config commit confirmed - e necessario efetuar um 2 commit num periodo de 10 minutos caso contrario e feito rollback automaticamente Em deviced com RE redundantes, e necessario fazer commit synchronize. E possivel mudar em comportamente usando o comando set system commit synchronize. Apos este comando o commit sincroniza automaticamente os RE set system max-configurations-on-flash xx - xx representa o n maximo de configs guardads Saving Configuration Guarda a config atual apartir da hierarquia onde se encontra no moemento user@router#save path/filename ftp:// user:password@router/path/filename scp:// user@router/path/filename Loading Config Files user@router# load (replace | merge | override) terminal replace - usa a tag replace para substituir merge - adiciona a config atual a nova config override - carregar uma nova config fazer overwrite a actual, comando possivel no top da hierarquia Usar o relative para fazer load para a hierarquia onde se esta no momento user@router# load (replace | merge | override) (filename | terminal) relative Access Parameters user@router> set cli idle-timeout 60 Idle timeout set to 60 minutes user@router> set cli idle-timeout 0 Idle timeout disabled Powering on and off JunOS request system halt - permite um shutdown graceful antes de remover o power. O system power e mantido sendo feito reboot com actividade na consola Management Netowrk Parameters O routing estatico apenas esta disponivel quando o routing protocol process (rpd) esta Up, caso este pare de funcionar e possivel configurar um backup router. set system backup-router 172.20.101.1 destination 100.100.100.0/24 Interface Overview fxp0 e me0 para management fxp1 e em0 para a internal (interligacao entre o Control e Forwarding Plane) Interface Naming es: Encryption interface; gr: Generic route encapsulation tunnel interface; ip: IP-over-IP encapsulat ion tunnel interface; ls: Link services interface; ml: Multilink interface; mo: Passive monitoring interface; mt: Multicast tunnel interface; sp: Adaptive services interface; vt: Virtual loopback tunnel interface. lo0 : Loopback interface; ae: Aggregated Ethernet interface; as : Aggregated SONET interface; vlan : VLAN interface The Junos OS also creates a number of internal in terfaces. These internally generated interfaces are nonconfigurable. The following are some examples: • gre • mtun • ipip • tap Line card (PFC) slot number Interface card (PIC) slot number Nota: A numberacao dos slots/portas comeca em 0 ge-0/2/3 = porta 3 na PIC slot 2 na PFC slot 0 Logical Units Nota:Consideradas como subinterfaces Podem ter mais do q uma family inet e inet6 p.exemplo Configuring Authentication Suporta Radius e Tacacs+ Definir uma class com privilegios Existem 4 class por defeito operator,read-only,super-user e unauthorized Um user so pode ser atribuido a uma class set system login class juniper permissions reset permissions view permissions view-configuration set system login user walter class juniper Nota: A permissao de reset permite reiniciar processos, mas nao fazer reboot pexemplo nancy@R1> show configuration ## Last commit: 2014-05-25 17:11:18 WEST by root version /* ACCESS-DENIED */; /* nao mudem o NTP */ system { /* ACCESS-DENIED */ }; /* n mudem interface */ interfaces { /* ACCESS-DENIED */ }; protocols { /* ACCESS-DENIED */ }; Definicao de Radius Server root@srxA-1# set system radius-server 210.x.y secret Juniper [edit] root@srxA-1# set system authentication-order radius tacplus+ [edit] root@srxA-1# commit Pelo menos um dos metodos de authentication-order deve responder, caso contrario e feita autenticacao local R1 (ttyp0) login: nancy Password: Local password: Logging by default o ficheiro de logging primario e /var/messages O syslog pode ser definido atrave dos comandos: edit system syslog edit routing-options options syslog set system syslog user * any emergency set system syslog file messages any any set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set system syslog file config-changes change-log info set system syslog host 10.1.1.1 any notice set system syslog host 10.1.1.1 authorization info Interpretar as mensagens do syslog Timestamp, Host , Process ou PID , message code, message text May 26 14:27:17 R1 mgd[1366]: UI_COMMIT_PROGRESS: Commit operation in progress: notifying eventd(80) commit complete Para incluir a Severity e necessario configurar o comando explicit-priority set system syslog file messages explicit-priority May 26 14:38:13 R1 mgd[1366]: %INTERACT-6-UI_COMMIT_PROGRESS: Commit operation in progress: notifying daemons of new configuration E possivel obter ajuda na interpretacao de uma mensagem de log atraves da propria CLI root@R1# help syslog UI_COMMIT_PROGRESS Name: UI_COMMIT_PROGRESS Message: Commit operation in progress: Help: mgd recorded step in commit operation Description: As it performed a commit operation, the management process (mgd) recorded its execution of the indicated step. Type: Event: This message reports an event, not an error Severity: info Traceoptions *Equivalente ao Debug em Cisco* O JunOS permite enviar o tracing para ficheiro/syslog Para redifinir um syslog server diferente usar: set system tracing destination-override syslog host 10.1.1.2 Exemplo Tracing Hello OSPF o size pode ser representado por K,M,G indicando (KB, MB e GB) Cao o trace execda o size, o ficheiro e divido no numero de ficheiros indicados comecando em trace-file.0 trace-file.1 ... set protocols ospf traceoptions file ospf-trace set protocols ospf traceoptions file size 128m set protocols ospf traceoptions file files 10 set protocols ospf traceoptions file world-readable set protocols ospf traceoptions flag hello detail set protocols ospf traceoptions flag error detail set protocols ospf traceoptions flag event detail root@R1# run file show /var/log/ospf-trace May 26 14:52:47 trace_on: Tracing to "/var/log/ospf-trace" started May 26 14:52:47.821578 Interface em5.101 area 0.0.0.0 event NeighborChange May 26 14:52:47.835103 IFL em5.32767 iflchange 0x0 May 26 14:52:47.836167 IFL em5.110 iflchange 0x0 May 26 14:52:47.836334 IFL em5.102 iflchange 0x0 May 26 14:52:47.836498 IFL em5.101 iflchange 0x0 May 26 14:52:47.836643 IFL em5.0 iflchange 0x0 May 26 14:52:47.836793 IFL lo0.16385 iflchange 0x0 May 26 14:52:47.836891 IFL lo0.16384 iflchange 0x0 May 26 14:52:47.837115 IFL lo0.0 iflchange 0x0 * *(omitido) * May 26 14:52:47.867410 OSPF updated PPM interface IFL 84, addr 172.20.110.1, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0 May 26 14:52:47.867614 OSPF cannot stop xmit from 172.20.101.1 to 224.0.0.5 (IFL 82, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0) May 26 14:52:47.867816 OSPF cannot stop xmit from 172.20.110.1 to 224.0.0.5 (IFL 84, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0) May 26 14:52:47.868182 OSPF cannot stop xmit from 172.20.101.1 to 224.0.0.5 (IFL 82, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0) May 26 14:52:47.873156 OSPF cannot stop xmit from 172.20.110.1 to 224.0.0.5 (IFL 84, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0) Operador AND root@R1# run show log messages | find "May 26" | match "error" Operador ORD root@R1# run show log messages | match "May 26" | match "error|kernel" Monitorizar as mensagens de log user@router> monitor start messages | match fail Parar de receber mensagens user@router> monitor stop NTP set system ntp server 10.10.10.10 set system ntp boot-server 10.10.10.10 root@R1# run show ntp associations remote refid st t when poll reach delay offset jitter ============================================================================== *10.10.10.10 .INIT. 16 - 395 1024 0 0.000 0.000 4000.00 O * significa que e o host selecionado para sincronizacao Archiving Realizar backups via FTP/SCTP da configuracao apos commit, o uso de varios destinos permite que caso o site primario falhe seja usado o 2 site e assim em diante set system archival configuration transfer-on-commit set system archival configuration archive-sites "ftp://backup@10.10.10.1:/archive" password #FAZER!SEMPRE_BACKUP# set system archival configuration archive-sites "sctp://backup@10.10.10.1:/archive" password #FAZER!SEMPRE_BACKUP# root@R1# commit root@R1# run show log messages | match ftp May 26 16:11:40 R1 fetch: %DAEMON-3: fetch: ftp://backup@10.10.10.1:*: No route to host As copias dos ficheiros sao guardadas em /var/transfer/config root@R1# run file list /var/transfer/config/ detail /var/transfer/config/: total 28 -rw-r----- 1 root wheel 1101 May 26 16:10 R1_juniper.conf.gz_20140526_151053 -rw-r----- 1 root wheel 1101 May 26 16:11 R1_juniper.conf.gz_20140526_151127 -rw-r----- 1 root wheel 1101 May 26 16:12 R1_juniper.conf.gz_20140526_151206 -rw-r----- 1 root wheel 1101 May 26 16:12 R1_juniper.conf.gz_20140526_151254 -rw-r----- 1 root wheel 1187 May 26 16:23 R1_juniper.conf.gz_20140526_152319 Para realizar backups regulares da config usar: Nota: A cada 24 Horas, sendo 1440 minutos set system archival configuration transfer-interval 1440 SNMP set snmp location LISDC-Rack122 set snmp contact "ip@cocheno.com" set snmp community JUNIPER set snmp trap-options source-address lo0 set snmp trap-group group-SNMP categories link set snmp trap-group group-SNMP categories routing set snmp trap-group group-SNMP targets 10.10.10.10 set snmp trap-group group-SNMP targets 10.10.10.11 set snmp trap-group group-SNMP version v2 set snmp community JUNIPER clients 192.168.20.0/24 Efetuar uma snmp walk (permite fazer decimal e ascii) lab@srxA-1> show snmp mib walk jnxOperatingDescr jnxOperatingDescr.1.1.0.0 = midplane jnxOperatingDescr.2.1.0.0 = PEM 0 jnxOperatingDescr.4.1.0.0 = SRX240 PowerSupply fan 1 ***Chapter 6: Operational Monitoring and Maintenance*** A tool primaria de monitorizacao da plataforma e o CLI que inclui os comandos show e monitor As secundarias sao o J-Web , SNMP, hardware LEDS/LCDs show system alarms : This argument displays current system alarms; boot-messages : This argument displays the messag es seen during the last system boot; connections : This argument displays the status of local TCP and UDP connections; statistics: This argument provides options for viewing various protocol statistics; storage: This argument displays the status of the file system storage space. show chassis alarms : This argument displays current chassis alarms; environment : This argument displays component and environmental status as well as the operational speeds of the cooling system; hardware : This argument displays an inventory of the installed hardware components along with the serial number of each component; and routing-engine: This argument provides operational status and utilization details for the Routing Engine (RE). Captura de trafego Capturar trafego para ficheiro (esta opcao esta escondida da CLI) monitor traffic write-file captura Capturar em real-time especificando uma interface root@R1# run monitor traffic interface em5 no-resolve ? Possible completions: <[Enter]> Execute this command absolute-sequence Display absolute TCP sequence numbers brief Display brief output count Number of packets to receive (0..1000000 packets) detail Display detailed output extensive Display extensive output layer2-headers Display link-level header on each dump line matching Expression for headers of receive packets to match no-domain-names Don't display domain portion of hostnames no-promiscuous Don't put interface into promiscuous mode no-timestamp Don't print timestamp on each dump line print-ascii Display packets in ASCII when displaying in hexadecimal format print-hex Display packets in hexadecimal format resolve-timeout Period of time to wait for each name resolution (seconds) size Amount of each packet to receive (bytes) | Pipe through a command root@R1# run monitor traffic interface em5 no-resolve detail Address resolution is OFF. Listening on em5, capture size 1514 bytes 18:00:02.101361 In IP6 (hlim 1, next-header: UDP (17), length: 107) fe80::6101:1a73:bc24:3daf.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit(C cliaddr=8:2:189d:1:e:1:1:188a relayaddr=2145:d4be:d963:d2be:3:c:5300:5056) 18:00:02.983638 Out IP (tos 0xc0, ttl 1, id 12712, offset 0, flags [none], proto: OSPF (89), length: 64) 172.20.101.1 > 224.0.0.5: OSPFv2, Hello, length 44 Router-ID 9.9.9.9, Backbone Area, Authentication Type: none (0) Options [External] Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 128 Designated Router 172.20.101.1 18:00:02.985453 Out IP (tos 0xc0, ttl 1, id 12713, offset 0, flags [none], proto: OSPF (89), length: 64) 172.20.110.1 > 224.0.0.5: OSPFv2, Hello, length 44 Router-ID 9.9.9.9, Backbone Area, Authentication Type: none (0) Options [External] Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 128 Designated Router 172.20.110.1 ^C 3 packets received by filter 0 packets dropped by kernel Junos Naming Convention Package-release-edition jroute-10.1R1.8-domestic-signed.tgz release: • Describes the Junos version • Includes major and minor release numbers, release type (Release,Beta or Internal), build number and spin number edition: • Versions are either domestic-supporting strong encryption, or export-not supporting encryption • Federal Information Processing Standards (or FIPS) editions provide advanced network security the letter is an R to indicate that this is released software. If you are involved in testing prereleased software, this letter might be a B (for beta-level software) or I (for internal, test, or experimental versions of software). The release also includes a build and spin number for the Junos version. Here, the release is 9.5R1.8, which is version 9.5, which has been released, build 1, spin 8.-signed.tgz - Junos software is digitally signed and compressed using Secure Hash Algorithm (SHA-1) and Message Digest 5 (MD5) checksums. A package is installed only if the checksum within it matches the hash recorded in its corresponding file. The actual checksum used depends on the software version. Package : jinstall usado nas M/Mx/T Series jinstall-ex usado nos EX Series, junos-jsr usado J Series junos-srx usado nos SRX Series Upgrading JunOS >reques system software add /var/tmp/jbundle-10.1R1.8-domestic.tgz reboot Commands Useful in Upgrading Software: • request system software add /var/tmp/ upgrades software • request system storage cleanup deletes images • show system storagedisplays compact-flash device storage details • request system software add /var/tmp/ reboot upgrades the software Permite verificar quais os ficheiros a serem eliminados root@R1> request system storage ? Possible completions: cleanup Clean up temporary files and rotate logs root@R1> request system storage cleanup ? Possible completions: <[Enter]> Execute this command dry-run Only list the cleanup candidates, do not remove them root@R1> request system storage cleanup dry-run Unified ISSU Permite upgrade sem disrupcao no control plane, apenas e suportado com 2 Routing Engines. O graceful routing Engine switchover (GRES) e nonstop active routing (NSR) devem estar activos. Nem todas as plataformas suportam o NSR, durante a mudanca de versao nao podem ser feitas operacoes online/offline as PICs Passos para efetuar um Inified ISSU: 1. activar o GRES e NSR e verificar a sincronizacao dos protoclos 2. efetuar no RE master request system software in-service-upgrade Password recovery Durante o processo de reboot pressionar o Space loader> boot -s (para boot em single user, similar em linux) Ao iniciar o sistem vai perguntar pelo recovery script, apenas e necessario digitar recovery, sendo que o sistema vai iniciar permitindo fazer login sem password Apos alterada a password, sair com 'exit' para fazer reboot Remover/Copiar Fciheiros root@R1# run file ? Possible completions: <[Enter]> Execute this command archive Archives files from the system checksum Calculate file checksum compare Compare files copy Copy files (local or remote) delete Delete files from the system list List file information rename Rename files show Show file contents source-address Local address to use in originating the connection | Pipe through a command root@R1# run file show /config/? Possible completions: <[Enter]> Execute this command Filename to show /config/juniper.conf.1.gz Size: 458, Last changed: May 24 19:58:53 /config/juniper.conf.2.gz Size: 454, Last changed: May 23 21:17:12 /config/juniper.conf.3.gz Size: 450, Last changed: May 23 15:03:46 /config/juniper.conf.gz Size: 452, Last changed: May 24 20:00:08 /config/juniper.conf.md5 Size: 32, Last changed: May 22 23:45:51 /config/rescue.conf.gz Size: 454, Last changed: May 24 19:57:27 Uso de Grupos ******Macros***** Definicao do Grupo CONFIG_IF_EM set groups CONFIG_IF_EM interfaces description "By group" set groups CONFIG_IF_EM interfaces vlan-tagging set groups CONFIG_IF_EM interfaces speed 10m set groups CONFIG_IF_EM interfaces link-mode half-duplex set groups CONFIG_IF_EM interfaces unit 0 vlan-id 1 set groups CONFIG_IF_EM interfaces unit 0 family inet set groups CONFIG_IF_EM interfaces unit 0 family inet6 root@R1# show interfaces em4 apply-groups CONFIG_IF_EM; root@R1# show interfaces em4 | display inheritance | except # description "By group"; vlan-tagging; speed 10m; link-mode half-duplex; unit 0 { vlan-id 1; family inet; family inet6; } [edit] root@R1# show interfaces em4 | display inheritance ## ## 'By group' was inherited from group 'CONFIG_IF_EM' ## description "By group"; ## ## 'vlan-tagging' was inherited from group 'CONFIG_IF_EM' ## vlan-tagging; ## ## '10m' was inherited from group 'CONFIG_IF_EM' ## speed 10m; ## ## 'half-duplex' was inherited from group 'CONFIG_IF_EM' ## link-mode half-duplex; ## ## '0' was inherited from group 'CONFIG_IF_EM' ## unit 0 { ## ## '1' was inherited from group 'CONFIG_IF_EM' ## vlan-id 1; ## ## 'inet' was inherited from group 'CONFIG_IF_EM' ## family inet; ## ## 'inet6' was inherited from group 'CONFIG_IF_EM' ## family inet6; } [edit] root@R1# show interfaces ae0 apply-groups CONFIG_IF_EM; vlan-tagging; aggregated-ether-options { lacp { active; } } [edit] root@R1# show interfaces ae0 | display inheritance vlan-tagging; aggregated-ether-options { lacp { active; } } [edit] Routing Routing preference values can range from 0 to 4,294,967,295. * - indica que e a rota activa holddown - estao no estado pendente antes de o sistema as declarar como inactivas hidden - o sistema nao pode usar por questoes de invalid next-hop e route policy show route forwarding-table Algumas das rotas sao permanentes devido a sua natureza como e o caso da default (Type perm), esta entrada e usada para o router descartar trafego quando nao existe roteamento para determinado destino, apos descarte envia um ICMP unreachable ao host de origem Caso exista um default route na tabela, o router utiliza-a em vez da Type perm Route types: cloned (clon)—(TCP or multicast only) Cloned route. destination (dest)—Remote addresses directly reachable through an interface. destination down (iddn)—Destination route for which the interface is unreachable. interface cloned (ifcl)—Cloned route for which the interface is unreachable. route down (ifdn)—Interface route for which the interface is unreachable. ignore (ignr)—Ignore this route. interface (intf)—Installed as a result of configuring an interface. permanent (perm)—Routes installed by the kernel when the routing table is initialized. user—Routes installed by the routing protocol process or as a result of the configuration. Next-hop Types: broadcast (bcst)—Broadcast. deny—Deny. hold—Next hop is waiting to be resolved into a unicast or multicast type. indexed (idxd)—Indexed next hop. indirect (indr)—Indirect next hop. local (locl)—Local address on an interface. routed multicast (mcrt)—Regular multicast next hop multicast (mcst)—Wire multicast next hop (limited to the LAN). multicast discard (mdsc)—Multicast discard. multicast group (mgrp) —Multicast group member. receive (recv)—Receive. reject (rjct) Discard. An ICMP unreachable message was sent. resolve (rslv)—Resolving the next hop. unicast (ucst)—Unicast. unilist (ulst)—List of unicast next hops. A packet sent to this next hop goes to any next hop in the list. By default o JunOS cria a master instance e outras private instances. Esta private instances sao para uso interno (comunicaoes entre componentes de hardware) do JunOS. root@R1> show route instance Instance Type Primary RIB Active/holddown/hidden __juniper_private1__ forwarding __juniper_private1__.inet.0 0/0/1 __juniper_private1__.inet6.0 1/0/0 __juniper_private2__ forwarding __juniper_private2__.inet.0 0/0/1 __master.anon__ forwarding master forwarding inet.0 8/0/0 inet6.0 1/0/0 Tipos de Instances root@R1# set routing-instances instance-type forwarding: Used to implement filter-based forwarding for common Access Layer applications; l2vpn: Used in Layer 2 VPN implementations; no-forwarding : Used to separate large networks into smaller administrative entities; virtual-router: Used for non-VPN-related applications such as system virtualization; "VRF-lite" vpls: Used for point-to-multipoint LAN implementations between a set of sites in a VPN; vrf : Used in Layer 3 VPN implementations. root@R1>show route table new-instance.inet.0 root@R1>show interfaces terse routing-instance new-instance root@R1>traceroute 2.2.2.2 routing-instance new-instance Static Routing O next-hop pode ser a opcao de bit bucket, as opcoes de discard/reject permite descartar o trafego: discard faz drop silenciosamente (nao envia ICMP) reject envia ICMP unreachable Config static routing set routing-options static{ route 0.0.0.0/0 next-hop 172.30.25.1; route 172.28.102.0/24 { next-hop 10.210.11.190; no-readdvertise; } } O nex-hop deve ser directamente ligado, pq by default o JunOS nao faz lookups recursivos, pera permitir usar o comando resolve set routing-options static route 0.0.0.0/0 next-hop 172.30.25.1; set routing-options static route 172.28.102.0/24 next-hop 10.210.11.190 no-readdvertise resolve Qualified Next hops Permite indicar a preferencia de uma rota (floating route) qualified-next-hop x.x.x.x { preference 7; } ******Routing Policy******** (Routes/Protocols)Import Policies->Routing table-> Export Policies(Routes/Protocols) | | v Forwarding table Protocol Import Policy Export Policy BGP Aceita/importa todas as rotas Aceita todas as rotas BGP activas ` BGP para inet.0 OSPF Aceita/importa todas as rotas Rejeita tudo (protocol floods by default) ` OSPF para inet.0 IS-IS Aceita/importa todas as rotas Rejeita tudo (protocol floods by default) ` IS-IS para inet.0 RIP Aceita todas as rotas do neighbors Rejeita tudo explicitamente confgiurados e importa para inet.0 Nao e possivel no OSPF atraves de uma policy para o advertisement de LSAs, ou mesmo filtrar as rotas internas (incluindo inter-area) da tabela de routing. Mas e possivel filtrar rotas externas. Apesar de "rejeita tudo" na Export Policy o router continua a enviar LSAs, a policy nao permite o envio de rotas adicionais com origem em outras sources. config import/export policys ao nivel do protocolo ou neighbor As routing policys contem um conjuntos de terms, estes sao analisados sequencialmente. Quando e feito o match (from) sao executdas as instrucoes em "then" e a policy termina de ser analisada "terminating action" nao analisando o seguinte "term". As accoes de control para aceitar/rejeitar rotas sao:accept/reject ambas sao "terminating actions" E possivel usar o comando insert para alterar a ordem de um term insert policy-options policy-statement OUT-RIP term ospf-to-rip-1 {after|before} term ospf-to-rip policy-options { policy-statement OUT-RIP { term ospf-to-rip-1 { from protocol ospf; then accept; } term ospf-to-rip { from protocol ospf; then accept; } } Caso seja omitido o "from" da policy 'e aplicado a todas as rotas a action do respectivo "then" subsequente prefix-list - faz o match exacto do prefix prefix-list-filter - permite match de types e actions. Match types: exact, longer,orlonger No polic2 apos match e executada a accao (opcionalmente se configurada, nao sendo usado o "then") policy-options { prefix-list filter-rfc1918 { 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/24; } policy-statement polic { from { prefix-list filter-rfc1918; } then reject; } policy-statement polic2 { from { prefix-list-filter filter-rfc1918 longer reject; } } } Router Filters Os route filters nao sao passiveis de reutilizar ao contrario dos prefix-list, este permitem uma maior granularidade por prefix Match Type: exact from route-filter 192.168.1.0/24 longer from route-filter 192.168.1.0/24 longer orlonger from route-filter 192.168.1.0/24 orlonger upto from route-filter 192.168.1.0/24 upto /29 prefix-length-range from route-filter 192.168.1.0/24 prefix-length-range /27-/30 Common Actions O accept e reject sao considerados "terminating actions" pq permitem a paragem do evaluate da policy Os nonterminating default-action accept e default-action reject nao causam a paragem do evaluate da policy, mas prevalecem sob a default policy accept/reject Outros termos comuns sao o next term e next policy, designados de Flow-control Firewall Filters Os filtros sao stateless, nao guardam os estado das ligacoes Discard explicito by default Common Actions Terminating actions:accept,discard,reject Flow control:next term Action modifiers: count.log e syslog - hits.. forwarding-class e loss-priority - especificar Class of service (CoS) policer - policiamento O next term e util caso seja necessario definir um policer ou valor DiffServ code point (DSCP), nao existe a accao next filter Caso seja especificado uma action modifier, esta implicito a action accept interfaces { em5 { vlan-tagging; unit 121 { vlan-id 121; family inet { filter { input IN; output OUT; } address 10.10.121.4/24; } } } } firewall { family inet { filter IN { term ACCEPT_ALL { then { log; accept; } } } filter OUT { term ACCEPT_ALL { from { icmp-type echo-reply; } then accept; } term ACCEPT_ALL_ { from { icmp-type echo-request; } then { log; discard; } } term ACCEPT_ALL_2 { then accept; } } } } Filtering Local Os filtros influenciam o trafego do control Plane, portanto cuidado! **********Policing********** Os firewall filters permitem policing ou rate-limit. Se o primeiro termo nao tiver a clausula from todos os pacotes da interface (inpiut e output) sao alvo de policing E possivel aplicar policers diretamente nas interfaces O policing usa o algoritmo token bucket, que faz o enforcing d eum limite na average bandwidth enquanto permite burts ate um valor maximo especificado Sao configurados 2 rate-limits, bandwidth/maximum burst size The preferred method for determining the maximum burst size is to multiply the speed of the interface by the amount of time bursts that you want to allow at that bandwidth level. For example, to allow bursts on a Fast Ethernet link for 5 milliseconds (a reasonable value), use the following calculation: burst size = bandwidth (100,000,000 bits per sec) x allowable burst time (5/1000s) This calculation yields a burst size of 500,000 bits. You can divi de this number by 8 to convert it to bytes, which gives you a burst size of 62500 bytes. bandwidth-limit bandwidth-in-bits burst-size-limit burst-in-bytes Quando e feito o evaluate da police, caso nao exceda e executada a accao "then" da firewall filter. caso exceda e executada a accao da polce set firewall family inet filter rate-limit-subnet term match-subnet from source-address 192.100.1.0/24 set firewall family inet filter rate-limit-subnet term match-subnet then policer p1 set firewall family inet filter rate-limit-subnet term else-accept then accept set firewall policer p1 if-exceeding bandwidth-limit 100k set firewall policer p1 if-exceeding burst-size-limit 20k set firewall policer p1 then discard firewall { family inet { filter rate-limit-subnet { term match-subnet { from { source-address { 192.100.1.0/24; } } then policer p1; } term else-accept { then accept; } } } policer p1 { if-exceeding { bandwidth-limit 100k; burst-size-limit 20k; } then discard; } } show firewall counter filter filter-name counter-name show firewall log clear firewall filter filter-name A filter name or a blank space appears if the RE handles the packet. Otherwise, a dash ( - ) or pfe appears instead of the filter name to indicate that the packet was handled by the PFE. The contents in the firewall log clear when the system reboots. *********Automated Antispoofing Filters******** Reverse Path-Forwarding E possivel combinar RPF checks a firewall filters na mesma interface. Activando esta feature o PFE aumenta o consumo de memoria Strict vs loose modes by default usa strict - loose - By default o JunOS verifica apenas active path para o prefix, causando drops quando existem multiplos paths (assymetric routing). E possivel permitir multiplos activando a opcao: set routing-optinos forwarding-table unicast-reverse-path feasible-paths Fail Filters By default o RPF faz discard ao trafego que falha o RPF check, de qualquer forma pode ser especificado um fail filter opcional. Neste filter e possivel definir toas as accoes e incluindo aceitar o trafego embora falhe o RPF check. ( Para ver o log destes pacotes (RPF check failed) e necessario configurar o log no fail filter) set interfaces em0 unit 0 family inet rpf-check fail-filter rpf-dhcp set interfaces em0 unit 0 family inet address 10.1.12.1/24 set interfaces lo0 unit 0 family inet address 10.2.2.2/32 set firewall family inet filter rpf-dhcp term dhcp from source-address 0.0.0.0/32 set firewall family inet filter rpf-dhcp term dhcp from destination-address 255.255.255.255/32 set firewall family inet filter rpf-dhcp term dhcp then accept multifield behaviour aggregate