Spanning-Tree Poem by Radia Perlman

This is the poem by Radia Perlman, the author of spanning-tree protocol:

I think that I shall never see
a graph more lovely than a tree.
A tree whose crucial property
is loop-free connectivity.
A tree that must be sure to span
so packet can reach every LAN.
First, the root must be selected.
By ID, it is elected.
Least-cost paths from root are traced.
In the tree, these paths are placed.
A mesh is made by folks like me,
then bridges find a spanning tree.

Simple Control-Plane Protection

To protect your control plane (routing-engine) you can define a stateless firewall to filter traffic based on source/destination ip addresses, protocols or ports. You should only allow protocols which the router really needs and you should specify as most exactly the parameters.

This is an example of an input filter to allow the following protocols:

Term

Protocol

Action

management-accept Telnet and SSH count and accept
tacacs-accept TACACS+ count and accept
icmp-accept ICMP Ping and Traceroute count and accept
traceroute-accept Traceroute via UDP count and accept
bgp-accept BGP count and accept
ospf-accept OSPF count and accept
ldp-udp-hello-accept LDP Hello via UDP count and accept
ldp-tcp-session-accept LDP Session (database exchange via TCP) count and accept
deny-all log, syslog, discard and count

Keep in mind: You could not create a firewall filter for family iso to filter protocols like ISIS or ESIS.

The following configuration shows you such a filter for family inet (IPv4) which could also be used for inet6 (IPv6).

firewall {
    family inet {
        filter protect-re {
            term management-accept {
                from {
                    protocol tcp;
                    destination-port [ ssh telnet ];
                }
                then {
                    count management-accept;
                    accept;
                }
            }
            term tacacs-accept {
                from {
                    protocol tcp;
                    source-port tacacs;
                }
                then {
                    count tacacs-accept;
                    accept;
                }
            }
            term icmp-accept {
                from {
                    protocol icmp;
                    icmp-type [ echo-request echo-reply unreachable time-exceeded ];
                }
                then {
                    count icmp-accept;
                    accept;
                }
            }
            term traceroute-accept {
                from {
                    protocol udp;
                    destination-port 33434-33534;
                }
                then {
                    count traceroute-accept;
                    accept;
                }
            }
            term bgp-accept {
                from {
                    protocol tcp;
                    port bgp;
                }
                then {
                    count bgp-accept;
                    accept;
                }
            }
            term ospf-accept {
                from {
                    protocol ospf;
                }
                then {
                    count ospf-accept;
                    accept;
                }
            }
            term ldp-udp-hello-accept {
                from {
                    protocol udp;
                    destination-port ldp;
                }
                then {
                    count ldp-udp-hello-accept;
                    accept;
                }
            }
            term ldp-tcp-session-accept {
                from {
                    protocol tcp;
                    port ldp;
                }
                then {
                    count ldp-tcp-session-accept;
                    accept;
                }
            }
            term deny-all {
                then {
                    count denied-packets;
                    log;
                    syslog;
                    discard;
                }
            }
        }
    }
}

It must be applied to the lo0.0 interface in input direction:

interfaces {
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input protect-re;
                }
                address 1.1.1.1/32;
            }
        }
    }
}

You can verify the filter counter by “show firewall filter protect-re”.  If some adjacencies or neighborship’s doesn’t come up, you can take a closer look at the firewall logfile, which should log every packet as specified in the “term deny-all”:

admin@ROUTER> show firewall log
Log :
Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
13:47:08  pfe       D      xe-1/3/0.11   PIM             101.21.11.3                      224.0.0.13
13:47:05  pfe       D      xe-1/3/0.11   PIM             101.21.11.3                      224.0.0.13
13:47:02  pfe       D      xe-1/3/0.11   PIM             101.21.11.3                      224.0.0.13

Differences between VRRPv2 and VRRPv3

During IPv6 testing I discovered several differences between VRRPv2 (RFC 3768 – http://tools.ietf.org/html/rfc3768) and VRRPv3 (RFC 5798 – http://tools.ietf.org/html/rfc5798) which you should be familiar if you wanna use VRRPv3 for IPv4 and IPv6:

  • VRRPv3is a unified protocol for IPv4 and IPv6
  • Its a real version cut
    • every router in your LAN must speak the same version
    • only hard migration is possible
    • With JunOS 12.2 you can switch via „set protocols vrrp version 3“
  • Authentication dropped in VRRPv3, should be done by sub-protocols
    • the only security you get is by TTL 255 check
  • Virtual MAC Address for IPv4 00-00-5e-00-01-{VID}
  • Virtual MAC Address for IPv6 00-00-5e-00-02-{VID}
  • Sub-Second Advertisments
    •  intervals specified in centiseconds
    • 100 centisecond = 1 second
  • IPv6 need 2 addresses: virtual-link-local addresses + global address
    • since JunOS 12.2 auto-generated link-local/virtual-link-local possible
  • You must have Router-Advertisements enabled
    • thats the new cool way for default-gateway propagation to hosts
IPv4/VRRPv2 vs. IPv6/VRRPv3
IPv4/VRRPv2 vs. IPv6/VRRPv3

You need JunOS 12.2 for the full VRRPv3 implementation of RFC 5798. Prior JunOS versions only implement draft (http://tools.ietf.org/html/draft-ietf-vrrp-unified-spec-02), which differs in checksum calculation and serveral minor features.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close