Alle Beiträge von tina

Configuring BFD for ISIS and OSPF

In this post I show you how to configure BFD Liveness Detection for your IGP. Again I use the topology of my post IGP loop prevention:

Redistribution between ISIS/OSPF
Redistribution between ISIS/OSPF

BFD is a very lightweight (small header, simple states) protocol to detect forwarding problems between two links(single-hop) or nodes(multi-hop). It uses UDP packets to encapsulate BFD control packets (single-hop uses port 3784, multi-hop uses 4784) and BFD echo packets (3785). It is specified in RFC 5880 and 5881.

BFD operates after session establishment. That means, if your adjacency came up and the router started exchanging hello packets, then additionally BFD starts to send periodic packets.

There exists 2 modes of BFD:

  • Async mode – every side send periodic hello packets, if x-packets not received take the session down
  • Demand mode – only send hello packets if needed, if x-packets not received take the session down

Additionally BFD implements a Echo function. Echo function should loop back the received packets. Echo function was designed for slow systems, if only one side (Router) could implement BFD and the slow systems (Host or CE) only loop the packet and doesn’t have to look at it. As far as I know JunOS currently have no support for BFD Echo function, so we must not think about it.

Usually you will implement BFD async mode with subsecond intervals. You configure BFD on interface level (sometimes on session level e.g.: BGP, targeted-LDP…) the interval of the packets in milliseconds and a multiplier.

Example configuration of R2 with interval 100ms and multiplier 3:

admin@router> 
admin@router> show configuration logical-systems R2 protocols | display set
 set logical-systems R2 protocols isis export export-OSPF-to-ISIS
 set logical-systems R2 protocols isis interface fe-0/2/3.50 bfd-liveness-detection minimum-interval 100
 set logical-systems R2 protocols isis interface fe-0/2/3.50 bfd-liveness-detection multiplier 3
 set logical-systems R2 protocols isis interface fe-0/2/3.50 level 1 disable
 set logical-systems R2 protocols isis interface lo0.2 passive
 set logical-systems R2 protocols ospf export export-ISIS-to-OSPF
 set logical-systems R2 protocols ospf area 0.0.0.0 interface lo0.2 passive
 set logical-systems R2 protocols ospf area 0.0.0.0 interface fe-0/2/3.53 bfd-liveness-detection minimum-interval 100
 set logical-systems R2 protocols ospf area 0.0.0.0 interface fe-0/2/3.53 bfd-liveness-detection multiplier 3

You can check the BFD state with the command „show bfd session <detail|extensive>“:

admin@router> show bfd session logical-system R2 extensive
 Detect Transmit
 Address State Interface Time Interval Multiplier
 10.0.1.13 Up fe-0/2/3.53 0.300 0.100 3
 Client OSPF realm ospf-v2 Area 0.0.0.0, TX interval 0.100, RX interval 0.100
 Session up time 00:31:39
 Local diagnostic None, remote diagnostic None
 Remote state Up, version 1
 Logical system 5, routing table index 29
 Min async interval 0.100, min slow interval 1.000
 Adaptive async TX interval 0.100, RX interval 0.100
 Local min TX interval 0.100, minimum RX interval 0.100, multiplier 3
 Remote min TX interval 0.100, min RX interval 0.100, multiplier 3
 Local discriminator 5, remote discriminator 6
 Echo mode disabled/inactive

 Detect Transmit
 Address State Interface Time Interval Multiplier
 10.0.1.1 Up fe-0/2/3.50 0.300 0.100 3
 Client ISIS L2, TX interval 0.100, RX interval 0.100
 Session up time 00:31:39
 Local diagnostic None, remote diagnostic NbrSignal
 Remote state Up, version 1
 Logical system 5, routing table index 29
 Min async interval 0.100, min slow interval 1.000
 Adaptive async TX interval 0.100, RX interval 0.100
 Local min TX interval 0.100, minimum RX interval 0.100, multiplier 3
 Remote min TX interval 0.100, min RX interval 0.100, multiplier 3
 Local discriminator 8, remote discriminator 2
 Echo mode disabled/inactive

  2 sessions, 2 clients
 Cumulative transmit rate 20.0 pps, cumulative receive rate 20.0 pps
admin@router>

If you lost more BFD packets than the configured multiplier is set, the BFD session goes down and also takes immediately your IGP adjacency down. This lead to faster failure detection and mostly faster convergence.

Most BFD sessions for single-hop run distributed on your FPC/MPC with the help of PPM. That means you could use very low intervals (maybe 3x15ms). But there are also limitations in the amount of such short-interval sessions, so call JTAC and ask about limits if you plan to use a heavy amount of sessions. BFD multi-hop session currently only works from RE, so you should never use intervals faster than 300ms.

Hint 1: Don’t forget to allow BFD control packets in your firewall filter!

Hint 2: If you clear your BFD session or deactivate the configuration, BFD signals a „Admin Down“ flag in the hello packets. This could lead to different results in convergence tests. If you really want to proove BFD function, you should pull the cable or add a firewall filter.

I hope that gave you short overview about the BFD protocol and functions.

Tunneling HTTP/DNS through SSH – Part 2 – Windows

As a follow-up to my previous post (Tunneling HTTP/DNS through SSH) I will show you how can create a SOCKS proxy with Putty for Windows.

1. You must create a session, enter your hostname or IP address with port and give it a name like „forwarding“:

Create a Profile / Session
Create a Profile / Session

2.  To speed up your tunnel establishment you can enable auto-login for your username, e.g. „root“. This only eliminate username prompt and you must always enter your password.

Enable Auto-Login
Enable Auto-Login

3. Enable compression for your tunnel 😉

Enable compression
Enable compression

4. Then you must add your local source port „D8080“ for Port 8080.

Set local port
Set local port

5. Save your session again and open it!

Save your Session
Save your Session

6. After you entered your password you should see an open port on your host (german windows edition):

Check your local port
Check your local port

7. Thats it!  Now you can change your SOCKS proxy settings to locahost:8080, as described in my previous post.

Howto recover your root password in JunOS (MX-Series works!)

Here is Howto about the recovering procedure of a lost root password in JunOS. You need to reboot!

  1. Power off the router by pressing the power button on the front panel.
  2. Turn off the power to the management device, such as a PC or laptop computer, that you want to use to access the CLI.
  3. Plug one end of the Ethernet rollover cable supplied with the router into the RJ-45–to–DB-9 serial port adapter supplied with the router.
  4. Plug the RJ-45–to–DB-9 serial port adapter into the serial port on the management device.
  5. Connect the other end of the Ethernet rollover cable to the console port on the router.
  6. Turn on the power to the management device.
  7. On the management device, start your asynchronous terminal emulation application (such as Microsoft Windows Hyperterminal) and select the appropriate COM port to use (for example, COM1).
  8. Configure the port settings as follows:
    commit complete
    • Bits per second: 9600
    • Data bits: 8
    • Parity: None
    • Stop bits: 1
    • Flow control: None
  9. Power on the router by pressing the power button on the front panel. Verify that the POWER LED on the front panel turns green.The terminal emulation screen on your management device displays the router’s boot sequence.
  10. When the following prompt appears, press the Spacebar to access the router’s bootstrap loader command prompt:
    Hit [Enter] to boot immediately, or space bar for command prompt.
    Booting [kernel] in 9 seconds...
  11. At the following prompt, enter boot -s to start up the system in single-user mode.
    ok boot -s
  12. At the following prompt, enter recovery to start the root password recovery procedure.
    Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery
  13. Enter configuration mode in the CLI.
  14. Set the root password. For example:
    user@host# set system root-authentication plain-text-password
  15. At the following prompt, enter the new root password. For example:
    New password: juniper1
    Retype new password:
  16. At the second prompt, reenter the new root password.
  17. After you have finished configuring the password, commit the configuration.
    root@host# commit
    commit complete
  18. Exit configuration mode in the CLI.
  19. Exit operational mode in the CLI.
  20. At the prompt, enter y to reboot the router.
    Reboot the system? [y/n] y

Mostly copied from here.