Archiv der Kategorie: JNCIE-ENT exam topics

Which JunOS version in practical JNCIE exams?

For your JNCIE-SP /-ENT or -SEC study you should always know which JunOS version is currently used in the track. This could give you a good insight, which features could be asked in compare to the exam topics. And of course, you should always use these versions in your own lab.

Here is short overview of the current (as of the date of this post) JunOS version in the practical exams:

Track

JunOS version

JNCIE-ENT 11.1
JNCIE-SEC 11.1
JNCIE-SP 10.4, changing to 12.3 in Aug 2013

When you are browsing through Junipers website for configuration commands, you will find a drop-down menu at the top-right on the most pages. You can choose the JunOS Version you need and also compare with older or newer versions. For e.g.: 10.4 -> 12.3 maybe multiple syntax changes?…who know 😉

Features / JunOS Version
Features / JunOS Version

You can also find the always latest informations about JunOS versions in exams on the Juniper Website:

JNCIE-ENT – http://www.juniper.net/us/en/training/certification/e_track.html#jncieent

JNCIE-SEC – http://www.juniper.net/us/en/training/certification/es_track.html#jnciesec

JNCIE-SP – http://www.juniper.net/us/en/training/certification/service_provider_track.html#jnciesp

Simple Control-Plane Protection

To protect your control plane (routing-engine) you can define a stateless firewall to filter traffic based on source/destination ip addresses, protocols or ports. You should only allow protocols which the router really needs and you should specify as most exactly the parameters.

This is an example of an input filter to allow the following protocols:

Term

Protocol

Action

management-accept Telnet and SSH count and accept
tacacs-accept TACACS+ count and accept
icmp-accept ICMP Ping and Traceroute count and accept
traceroute-accept Traceroute via UDP count and accept
bgp-accept BGP count and accept
ospf-accept OSPF count and accept
ldp-udp-hello-accept LDP Hello via UDP count and accept
ldp-tcp-session-accept LDP Session (database exchange via TCP) count and accept
deny-all log, syslog, discard and count

Keep in mind: You could not create a firewall filter for family iso to filter protocols like ISIS or ESIS.

The following configuration shows you such a filter for family inet (IPv4) which could also be used for inet6 (IPv6).

firewall {
    family inet {
        filter protect-re {
            term management-accept {
                from {
                    protocol tcp;
                    destination-port [ ssh telnet ];
                }
                then {
                    count management-accept;
                    accept;
                }
            }
            term tacacs-accept {
                from {
                    protocol tcp;
                    source-port tacacs;
                }
                then {
                    count tacacs-accept;
                    accept;
                }
            }
            term icmp-accept {
                from {
                    protocol icmp;
                    icmp-type [ echo-request echo-reply unreachable time-exceeded ];
                }
                then {
                    count icmp-accept;
                    accept;
                }
            }
            term traceroute-accept {
                from {
                    protocol udp;
                    destination-port 33434-33534;
                }
                then {
                    count traceroute-accept;
                    accept;
                }
            }
            term bgp-accept {
                from {
                    protocol tcp;
                    port bgp;
                }
                then {
                    count bgp-accept;
                    accept;
                }
            }
            term ospf-accept {
                from {
                    protocol ospf;
                }
                then {
                    count ospf-accept;
                    accept;
                }
            }
            term ldp-udp-hello-accept {
                from {
                    protocol udp;
                    destination-port ldp;
                }
                then {
                    count ldp-udp-hello-accept;
                    accept;
                }
            }
            term ldp-tcp-session-accept {
                from {
                    protocol tcp;
                    port ldp;
                }
                then {
                    count ldp-tcp-session-accept;
                    accept;
                }
            }
            term deny-all {
                then {
                    count denied-packets;
                    log;
                    syslog;
                    discard;
                }
            }
        }
    }
}

It must be applied to the lo0.0 interface in input direction:

interfaces {
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input protect-re;
                }
                address 1.1.1.1/32;
            }
        }
    }
}

You can verify the filter counter by “show firewall filter protect-re”.  If some adjacencies or neighborship’s doesn’t come up, you can take a closer look at the firewall logfile, which should log every packet as specified in the “term deny-all”:

admin@ROUTER> show firewall log
Log :
Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
13:47:08  pfe       D      xe-1/3/0.11   PIM             101.21.11.3                      224.0.0.13
13:47:05  pfe       D      xe-1/3/0.11   PIM             101.21.11.3                      224.0.0.13
13:47:02  pfe       D      xe-1/3/0.11   PIM             101.21.11.3                      224.0.0.13

Differences between VRRPv2 and VRRPv3

During IPv6 testing I discovered several differences between VRRPv2 (RFC 3768 – http://tools.ietf.org/html/rfc3768) and VRRPv3 (RFC 5798 – http://tools.ietf.org/html/rfc5798) which you should be familiar if you wanna use VRRPv3 for IPv4 and IPv6:

  • VRRPv3is a unified protocol for IPv4 and IPv6
  • Its a real version cut
    • every router in your LAN must speak the same version
    • only hard migration is possible
    • With JunOS 12.2 you can switch via „set protocols vrrp version 3“
  • Authentication dropped in VRRPv3, should be done by sub-protocols
    • the only security you get is by TTL 255 check
  • Virtual MAC Address for IPv4 00-00-5e-00-01-{VID}
  • Virtual MAC Address for IPv6 00-00-5e-00-02-{VID}
  • Sub-Second Advertisments
    •  intervals specified in centiseconds
    • 100 centisecond = 1 second
  • IPv6 need 2 addresses: virtual-link-local addresses + global address
    • since JunOS 12.2 auto-generated link-local/virtual-link-local possible
  • You must have Router-Advertisements enabled
    • thats the new cool way for default-gateway propagation to hosts
IPv4/VRRPv2 vs. IPv6/VRRPv3
IPv4/VRRPv2 vs. IPv6/VRRPv3

You need JunOS 12.2 for the full VRRPv3 implementation of RFC 5798. Prior JunOS versions only implement draft (http://tools.ietf.org/html/draft-ietf-vrrp-unified-spec-02), which differs in checksum calculation and serveral minor features.

Configuring archival

At this time we will take a short look at the topic „Archival“ as part of „Device Infrastructure“.

JunOS can automatically copy the current configuration to a storage location. This could be triggered by a time interval or commit change.

In JunOS 10.4 are only FTP and SCP protocols are available. Starting with JunOS 12.4 there a more options available like local copy, HTTP and passive FTP. Beside IPv4 you could also use IPv6 host addresses as destinations.

You start configuring archival under system hierarchy. You must specify the protocol, username, directory and password which should be used.

Syntax looks like this:

systems {
    archival {
        configuration {
            archive-sites {
                "ftp://<username>:<password>@<host>:<port>/<url-path>";
                "scp://<username>:<password>@<host>:<port>/<url-path>";
            }
            transfer-interval <interval>;
            transfer-on-commit;
        }
    }
}

The notation is <Protocol>://<Username>[:Password]@<Host IPv4/IPv6>:<TCP Port>/URL-Path” for example “scp://backup@10.0.0.1:22/home/router-configs/”.

You can specify a time interval in minutes with the option “transfer-interval” in which the configuration gets automatically copied. The range could be 15 till 2880 minutes.

Also you could add the option “transfer-on-commit” to get copy after every commit change.

If the transfer fails, you will see the message “Apr  17 12:41:42  router logger: transfer-file failed to transfer /var/transfer/config/router_juniper.conf.gz_20130417_124059” in your messages.

If this happen, check the connectivity to your scp/ftp server in inet.0 and also username and password settings. You can manually verify the operation also from shell, for e.g. scp :

admin@router> start shell
% scp /config/juniper.conf.gz admin@10.1.1.1:/home/backup/
ssh: connect to host 10.1.1.1 port 22: Connection refused
lost connection
%