1
OSI:
7-app
6-present
5-session
4-transport
3-net
2-data-link
1-phy
tcp/ip
4-app
3-transport
2-internet/network
1-link/network access
Please do
not throw
sausage pizza
away
Armadilloes
take in
new ants
MAC= Media Access Contor
LLC= Link Local Control
L2 Header: preamble+sfd src mac, dst.mac, type data FCS
L3 ipv4: Header 20B ipv6: header:
L4: syn, sync-ack, ack
hub=layer1 repeater
qos: classification, marking, mgmt/policy
2 Describe Ethernet and ipv4
binary/decimal/hexadecimal
MAC address (48bits): OUI (24) + Interface ID (24)
ipv4: 32b (8×4)
unicast, multicast, broadcast
01005E
224-239
3 Apply ipv4
subnetting/supernetting
ARP
4 ipv6
128bits – 8xquartet(16b)
broadcast: none!!!!!!!!!
multicast: MAC: 33-33:.. // FF00::/8
link-local: always assigned, no routable: FE80::/10 or /64
unique local: like priv ip, routable internally. FC00::/7 or FD00::/8
global unicast: pub ip, routable internet 2000::/3
2001:1234:5678::/48
2001:1234:5678:9abc::/64
2001:1234:5678:9abc:d:e:f:0/127
NDP = Neighbor Discovery Protocol -> ICMP + link-local + multicast.
- Duplicate address detection (DAD)
- link layer address resolution
— Neighbor Solicitation: src.ip link-local dst.ip: solicited_node_ip (ff02::1:)
— Neigbor Advertisiemen:
Router Discovery:
router solicitation: RS, request sent by host, dst.ip: FF02::2 (all routers) use link-local as src.ip
router advertisement: RA, reply sent by router, src.ip link-local, dst.ip = FF02::1 (all hosts in link-local). It contains global unicast range
SLAAC: Stateless Address AutoConfiguration
1) obtain prefix through RA
2) host creates its own interface id.
2.1: use EUI-64: use MAC (48b) and filling -> 1st half MAC + FFFE + 2nd half MAC + flip the 7th bit of the MAC.
5 – Intro Juniper Cert and labs
OS fundamentals, user interface, configuration basics, operational monitoring and maintenance
routing fundamentasl, routing policy and firewall filters.
lab: ex2200, vMX, vQFX, vSRX (kvm)
juniper vlabs – are free!
junos genius -> get voucher for jncia, and train for -s and -p.
-> day-one books!
6- Junos Arch
daemons
cp (routing-engine) vs dp (packet-fw-engine). fw-table is created by RE and then copied to the PFE
exception traffic = non-transit traffic -> goes to RE
PFE can handle ICMP responses
major.minor.X = security (srx)
F = feature
R = bug fixes
7 Junos CLI
request system zeroize
mgd = mgmt daemon
/config -> junos config
% -> freebsd cli
-> operationa mode
-> config mode
show interfaces terse
ctr-a -> begining line
-e -> end line
help tip cli
help topic x
help apropos interfaces
show x | save var/tmp/text.txt
file show var/tmp/text/txt
delet
show conf | display x
8 Create Junos Base Config
operator: clear network reset trace view
read-only: view
super-user: all
unauthorized: none
snmp: privacy -> priv+auth
auth -> authNopriv
[] -> list
syslog: timestamp hostname facility:message
set sytesm syslog file x host y
server -> makes the device a syslog server !!!
0 emergency (kernel)
1 alert (user-space)
2 critical
3 error
4 warning
5 notice
6 info
7 any (debug)
set vlans NAME vlan-id x
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access vlan members NAME
trunk vlan members [NAME1 NAME2]
srx -> untrust / trust
9 Configure Junos Interfaces
set vlans NAME vlan-id 25
set interfaces vlan.25 family inet address IP/24
set vlans NAME l3-interface vlan.25
eui-64: use mac 48b
set address 2001:db8:dead:beef::/65 eui-64
10 Junos config datastores
active config
configure -> candidate config global
configure private -> private candidate per user
configure exclusive -> lock candidate for other users. No commited changes are lost after exit
request system configuration rescue save
rollback rescue
edit archival configuration
set archive-sites http/ftp/scp:user:pass@url
set transfer-on commit
encrypt: aes/des
11 Routing
inet.0 ipv4 unicast
inet.1 ipv4 multicasts
RE: creates Routing table, then Forwarding table, then it is copied to the PFE
1 – most specific
2 – lowest AD
0 directed connectAD: 5 static routes
10 ospf internal
15 isis
150 ospf ext
160 isis ext
170 bgp
set routing-options static route DST/x next-hop NH1
qualified-next-hop NH2 preference 7
ospf:
224.0.0.5: hello
.6: DR
edit protocols ospf
set area 0.0.0.0 interfaces X.0
edit routing instance
set NAME_INSTANCE interface x.0
routing-options static route
protocols ospf area 0.0.0.2 interface y.0
there are several types of routing-instances: ie:
vrf: for mpls, RD, RT, import/export
virtual-router: no import/expot, no rd,rt
ipv6 static route:
edit routing-options
set rib inet6.0 static route X/Y next-hop Z
edit protocols ospf3
set area 0.0.0.0 iterface X.0
12 multi-vendor ospf
router id – hightest lo.IP or explicit
hello: router-id,
area-id,
timers (hello interval: 10 dead-interval: 40 (ethernet)),
area-types: stub, total-stub, nssa
mtu (stuck in ex-start)
LSA-types:
set routing-options router-id IP-Lo;
edit protocols
set ospf area 0.0.0.0 interface lo0.0;
show ospf database: ID = LSA ID !!!!
ref bw / interface bw = metric
ref bw = 100 mpbs Juniper
set protocols ospf reference-banwidth (bits per second!!!!)
13 Route policies
routing table modification: import/export policies
route distribution: think of the perspective of the routing table
edit policy-options
set policy-statement ISIS2OSPF from protocol isis then accept
from prefix-list NAME then xxx
from route-filter IP/x orlonger
set policy-statement TEST1 term T1 from protocol isis then accept
set policy-statement TEST1 term T2 from prefix-list NAME then tag 1
then accept
edit protocols ospf
export ISIS2OSPF
edit policy-options
set prefix-list PL IP/x
bgp:
edit policy-options
set policy-statement BGP-TEST1 then you can change/add many BGP attributes
default routing policies junos
bgp: default import: accept all
export: readvertise all (exception iBGP for split-horizon)
mpls: default import: accept all
export: readvertise all
isis: default import: accept all
export: reject everything
ldp: default import: accept all
export: reject all
ospf: default import: accept all (you can’t override this by ospf design)
export: reject all
14 Firewall Filter (ACLs) – no stateful !!! -> need input/output !!!
data-plane modification -> accept, drop, QoS, change NH, RPF, logging, counting
edit firewall
edit family inet
set filter NAME term T1 from source-addess IP/32
from destination-port 80
then accept
term then discard (IMPLICIT!!!)
edit interfaces xe-0/0/0 unit 0 family inet
set filter input FILTER-NAME
discard -> drop + no logging (silently)
reject -> drop + sent ICMP
qos:
policer
edit firewall
set policer SSH-BE if-exceeding bandwithd-limit 100m then forwarding-class best-effort
edit firewall family inet filter NAME
set term T1 then forwarding-class assured-forward
then policer SSH-BE
RPF:
strict
loose
edit interfaces ge-0/0/0 unit 0 family inet
set rpf-check fail-filter NAME-FF
15- Operate and Maintain Junos
show system storage
alarms
commit
connections
statistics
show chassis alarms
environment
hardware
routing-engine
show virtual-chassis
show chassis fpc
show route table X.0 IP/X extensive
show interfaces ge-0/0/0.0 extensive
show interfaces ge-0/0/0 extensive -> MAC address, CoS
monitor interface ge-0/0/0 -> statistics live
monitor interface traffic -> all interfaces stats
monitor traffic interface ge-0/0/0.0 extensive -> tcpdump
request system halt -> graceful shutdown
request system storage cleanup dry-run
request system software add /var/tmp/xxxx.tgz reboot
=================
JNCIA – Official training
Note: The process of moving routes between a routing protocol and the routing table is described always from the point of view of the routing table. That is, routes are imported into a routing table from a routing protocol and
routes are exported from a routing table to a routing protocol.
Intro JunOS on-demand
l2mtu: 1514s (ethernet header) _> physical interface
terse, brief, detail, extensive
set cli screen-width 1000
configure exclusive -> lock for one user, but other users can’t commit
configure private -> only commit from top, locks hierachy where you have made a change
commit at
clear system commit
disable (put at the end) -> interfaces and protocols -> “delete …. disable”
deactivate (put at the beginning) -> nearly anything, it is commenting out a piece of config -> use “activate”
rename: rename address 1.1.1.1/31 to address 1.1.1.11/31
replace patten: replace pattern xe-0/1/2 with xe-0/1/4 (hierarchy aware!)
copy / move
insert
annotate
save
load
wildcard delete
emacs short-cuts
ctr-w delete word
ctr-a – beginning
ctr-e – end
ctr-k – delete everything from cursor onwards
esc-b – backwards 1 word
esc-f – forwards 1 word
show route -> Local (ip configured in interface)s
- = chosen active route between two or more protocols
= best path between two paths from the same protocol
set routing-options static route IP/23 next-hop IP
rib inet6.0 static route …
::/0
show route protocol static
ospf => LSA
isis => LSPs
set protocols ospf[3] area 0 inteface xe0/0/0.0 [passive]
hello: 224.0.0.5, area, hello, dead=4xhello
ospf3 -> ipv6
ex3400
show configuration vlans
set vlans NAME vlan-id X
set interfaces ge-0/0/0 unit 0 family ethernet-swtiching interface-mode [access|trunk]
vlan members [NAME1 NAME2]
set interface ge-0/0/1 vlan-taggig !!!!
unit 10 vlan-id 10
family inet address IP1/24
show ethernet-switching table vlan NAME
MistAI:
port securitu. loop preventio, poe, vc, macsec, evpn-vxlans
missing vlans, wifi, port bounced, etc. onboaring, AI. Marvis (assistant)
wifi assurance, wired assurance, wan assurance
mgmt port: fxp0, em0,
manual
set system time-zone UTC
set date yyyymmddhhmm
ntp
set system ntp server IP
show system uptime
show ntp associations
set system name-server IP
set system login user NAME class CLASS authentication encrypted-password xxxxx
$6$ -> SHA-512
super-user, unauthorized, operator (clear, view, reset, trace, network), read-only (view)
flags: all, clear, configure, network (ping, traceroute), view (no-config-show, system-wide, routing, protocol)
j-web SRX, a few mx.
configure, monitor, status, upgrade
set system service web-management https system-generated-certificate
rs-232
set system login messag “xxx” // before login
set system login annoucement (for after login) “xxxx”
delete system commit factory-settings
request system configuration rescue save
rollbackc rescue
request system reboot/halt [both-routing-engines]
ztp
dhcp (DORA)
discover(broadcast)
offer
request: replies with the same ip info
acknowledge:
dhcp-options:
routing-engine: CPU, monitoring, mgmt, system, chassis, protocol, routing, junos, ping/traceroute
writw forwarding-table and send to data-plane (NH IP, MAC and out interface))
RIB, FIB
PFE: muscle. ASIC (<> CPU) Express – PTX, Trio – MX
look-up, forward traffic, manipulate (ethernet headers, vlans, TTL)
cos: rate-limit, fw filters, priority
exception traffic: traffic to/from RE (loopback), ssh, protocols, ping, ARP, SNMP. TTL, ICMP replies
- some PFE CPU can handle some exception traffic.
start shell
daemos: routing (rpd), chassis, interfaces, mgmt (mgd), snmp, dcd (device control daemon), ppmd (periodic packet mgmt daemon)
junos EVO
basedon linux, whitebox, integrate with 3rd party
daemons are individual apps, independently of evo, data is stored in distributed database, apps can be restarted without losing state
syslog:
facility:severity:destinatin
show log FILENAME
show log interactive-commands | match USER
monitor start messages -> real time
monotor stop
help syslog CODE_MESSAGE
set system syslog host IP any notice
severity:
0 emergency
1 alert
2 critical
3 error
4 warning
5 notice
6 info
7 any
ping IP size PAYLOAD!!! (it is not MTU, it doesn include icmp header = 8, ip header=20b) so for mtu=1500 you need payload 1472
output shows the size of payload+icmo header only !!!!
traceroute doesnt show return path!!!
show ipv6 neighbors (via NDP)
monitor interfce traffic -> real time stats all interaces
monitor interface xe-0/1/5 -> real time stts interface with errors
monitor traffic interface xe-0/1/5 -> tcpdump
help apropos COMMAD (fnd command)
help topic ospf dead-interval (documentation)
help referece ospf aread (configuration syntax reminders)
statefull ->hw fw — security policies
stateless -> check per packet, no idea about session, lighter load — firewall filters (ACL)
term -> from: 0+ match conditions -> then: 1+ actions
match -> nearlu any field in header ipv4,6 and ethernet
- same condition -> OR (match source IP1, match source IP2)
- diff condition -> AND (match source IP, match dst port 343) discard -> drop silent
reject -> drop + icmp unreachable
enable count, sample, duplicate, policing (rate-limit), cos, redirect, load-balance
default in fw filter: discard -> implicit term
set firewall family inet filter NAME term TERM from CONDITIONS then AcTIONS
show config firewall family inet filter XXX | display set relative
- count/log has “accept” implicit
trade-offs
set interface xe-0/1/4 unit 0 famiy inet filter output NAME
show fiewall counter COUNTER filter NAME
insert firewall family inter filter NAME term TERMy before/after term TERMx
set firewall family inet filter NAME apply-flags omit -> doesnt show i
set protocols ospf apply-flags omit -> doesnt show (hidden command
show omit -> display set or display omit
protect protocols lldp -> lock config, can’t delete
unprotect protocols lldp
—
annonate system “comment”
file list /var/log
file show FILE
show commands | save LOG.txt
show config | compare FILE1
file compare files FILE1 FILE2
—
load override terminal –> replace entirely config via CLI
load merge terminal [relative] -> add your config to the current config
load merge|override FILE.txt
load set terminal
—
set system archival configuration transfer-on-commit
set groups MTU_9192 interfaces mtu 9192
set interfaces apply-groups MTU_9192
set interfaces xxxx apply-groups-except MTU_9192
show .. | display set | display inheritance [no-comments]
edit interfaces interfaces-range RANGE
set member-range ge-0/0/10 to ge-0/0/12
set unit 0 family ethernet-switching vlan members VLAN
wildcard delete interface xe-0/1/*
loopback:
set interfaces lo0 unit 0 family inet address ip/32
set protocols ospa area 0 interface lo0.0
RE protection -> firewall filter in lo0
router-id: lowest lo0 ip
irb: integrated routing and bridging -> default fw for vlan
set interfaces irb unit 10 family inet address ip1/24
20 …
set vlans NAME l3-interface irb.10
NAME2 20
show vlans NAM detail ->shows irb
Several IPs in interface:
Is-preferred: the source to devices in the same subnet (lowes IP in subnet)
Is-Primary: the source to devices on a different subnet. (lowest IP from all subnets)
ecmp: equal-cost multipath
LAG: link agg groups: LB per flow
set chassis aggregated-devices ethernet device-count X (>=1)
set interfces ae0 unit 0 family inet address x
aggregated-ether-options lacp active
set interfaces ge-0/0/0 gigether-options 802.3ad ae0
automation:
XPATH
netconf
set policy-options prefix-list DIRECT apply-path “interfaces <> unit <> family inet addres <*>”
firewall filter: match-codition+(-except) -> protocol-except udp, destination-port-except 443, et
log + count => implicit “accept” but you can use “next term”
show firewall log
show class-of-service forwarding-class
show route forwarding-table destination IP/x table default
authentication order: if one fails/unreachable, check with the following. If all unreachable, checks local
custom login commands: (command1) | (command2)
order: permissions -> deny-commands/config -> allow-command/config (allow override deny!!!)