Home

Quick-Series 33 – Wildcard Range? Very Efficient

Leave a comment

Hi,

When you have to scale the configuration be it number of static routes for some testing or be it for preparing for your certain certification exams, manual method is to use a notepad write down the number of static routes, a next smarter way may be is to use a excel sheet/scripting language.

Task – Configure 10 static routes ranging from 1.0.0.0/24 to 1.0.10.0/24 with next-hop as reject

Junos offers a convenient way to do this, here is how

 

If you need to learn more about wildcard follow the below Juniper networks link

https://www.juniper.net/techpubs/en_US/junos/topics/example/junos-cli-wildcard-range-configuring.html

 

Hope this helps your preparation

 

Regards

Rakesh M

Quick Series 31 – Getting started with PYEZ – Step 1 to automate your Data Collection

Leave a comment

Hi,

Following the post on installing PYEZ

https://r2079.wordpress.com/2016/06/28/pyez-first-impressions-installation/

Let us explore a very simple program which connects to the box and gets the version from the box

Step 1 – Configure the Device to accept Device – You do this by configuring NETCONF SSH under system services

1

Let’s look at how PYEZ Code looks. Am using a Ubuntu Linux which is on my Local LAN.

#########################################################################

from jnpr.junos import Device
import sys
from pprint import pprint
dev = Device(‘10.0.0.1′,user=’labroot’,password=’lab123′)
try:
dev.open()
except Exception as err:
print “Unable to connect to Device”, err
sys.exit(1)
print “\n#################################”
print “\n Successfully Connected to M120”
print “\n#################################”

print “\n \n show version | no-more”

print dev.cli(“show version | no-more”)

dev.close()

print “\n#############################################”
print “\nConnection with M120 Terminated Successfully”
print “\n#############################################”

print “\n \n END OF THE PROGRAM”

####################################################################

Let us try to execute the program.

2

You could improvise more on this by simply adding a RAW_INPUT function and then Program will ask for IP Address and will feed it to the system, than you feeding it manually. Below code will help you for the same.

####################################################################

from jnpr.junos import Device
import sys
from pprint import pprint
d = raw_input(“\n ENTER THE IP ADDRESS OF THE DEVICE: “) #Adding this would now make the program to request you for an IP address
dev = Device(d,user=’labroot’,password=’lab123′)
try:
dev.open()
except Exception as err:
print “Unable to connect to Device”, err
sys.exit(1)
print “\n \n show chassis hardware detail”

print dev.cli(“request support information | no-more”)
print dev.cli(“show log messages | no-more”)
print dev.cli(“show log chassisd | no-more”)

dev.close()
print “\n END OF THE PROGRAM”

####################################################################

We will see more of PYEZ and underlying functions in subsequent posts.

Regards
Rakesh M

Quick-Series 28 – Vlan-Rewrite on Mx

Leave a comment

Hi,

Vlan Rewrite on Mx is handy and can also be done fairly easily. Let see the scenario where it can come into help.

topology

Problem – Service provider has Vlans, which are currently used by customers as well, so technically we cannot have a bridge domain combining our Internal Lan and Customer Lans (speaking purely from the post perspective)

Vlan Rewrite can be used to bypass this issue.

Initially customer tries to ping the SP, but there appears to be no reply from MX.

initial_ping_response_fail

Now, lets configure Bridge domain for these two customers and have Routing-Interfaces associated to individual Bridge-Domains.

configuring_bridge_domains_2

Configuring Vlan-Rewrite

configuring_interface_rewrite

Final verification is much simpler.

final_verification

 

Regards

Rakesh M

 

 

 

 

Virtual Switch Instance – vMX

2 Comments

Hi,

Virtual-Switch instance was always  a fascination for me, just for a simple fact that you could turn a Router to Bridge/Switch everything. Although there are many advantages and applications, I quickly wanted to write up the Lab scenario which I have Done. I always prefer seeing some simple things first and then may be do a deep-dive about the feature.

Requirement- Router-1 / 2/ 3 are all attached to VMX , they have to ping to each other through vMX and this has to happen via Instance Virtual-Switch. Now, someone who already knows about default-switch / Bridge-domain could have said why not use these, well this Post is going to Expand when we revisit of having Why we needed Virtual-Switch advantage in first place.

 

Below is the Topology

Topology

Ge-0/0/0 is connected to R1 , Ge-0/0/1 connected to R2, Ge-0/0/3 Connected to R3. Let see what we need to configure at a basic level for this to work

 

1_intf_outtputs

So far so Good, whats Next, as per the requirement we were to create a Virtual-Switch Instance

2_instance_creation

Everything is fine, but looks like communication is not yet established, the reason is simple, we have used something called Enterprise-Style definition. To put it simply, we have to configure a Bridge-Domain for these interfaces to be associated with Bridge-Domain of Vlan-id 100. There is something called Learning Domain where it gets associated to Bridge-Domain, but that is not the post about.

Lets Create a Bridge-Domain quickly for Vlan-id 100 and see if it changes anything, please do note the bridge-domain will now be the part of the Instance and here comes the beauty of the virtual-switch, you could have completely a different virtual-switch with same Vlan and it just works fine, re-call the Idea of VRF  / Routing-Instance now 😉

Fantastic!

3_final_output

Lets look at the configuration again along with Mac-Table generation

4_final_mac_output

Regards

Rakesh M

 

 

 

 

 

 

BGP FLOWSPEC – ALLOWING TELNET AND BLOCKING ICMP VIA BGP ?

Leave a comment

Hi,

BGP within Juniper Implementation has a address family Flow. Interestingly, this is implemented by Juniper (or atleast Documented so) much before the BGP FLOWSPEC RFC standardization. The Crux of the topic is to mitigate DDOS.

Two Main Perspectives – Proactive and Reactive (from Service Provider Perspective)

a. Customer Informing DDOS automatically to SP Through Routing Updates

b. Customer Informing DDOS and then Service Provider acting on it on their own

Juniper Documentation:

http://www.juniper.net/documentation/en_US/junos15.1/topics/example/routing-bgp-flow-specification-routes.html

Coming to the sample topology – INTERDOMAIN DDOS MITIGATION EXAMPLE

Topology

 

Requirement / ASK – Customer finds that 3.3.3.3/32 has a Massive hit for ICMP and wants to Block it temporarily while other services like TELNET should still be operative and functional.

Lets Quickly look at current state of operations at their defaults

BGP Between R1 , R2 AND R2 , R3 looks fine and ping is reachable as well as telnet, no problems there

1_vmx_bgp

Enabling Family Flow between SP routers R1 and R2 and PE-CE R2 and R3

2_bgp_flow

Enabling Flow on Customer Router  under Routing Options

3_routing_options

Advertising Route

4_advertising_routes

Lets test the Result on R1

5_view_on_r1

As we can see the ping is blocked now , you can see the communities also the protocol 1 is advertised in Inet-flow which indicates ICMP blockage

6_ping_block_telnet

Lets see the final view on R2, we can see that there is a firewall Filter automatically installed for Control plane for R1/R2/R3 on all incoming interfaces blocking the requirement

7_fw_filter_on_controlplane

 

This is an Attempt to understand Flow-Spec Feature, this is vast and has many Knobs to deal with.

 

Regards

Rakesh M

 

Overload Bit – 0XFFFF -> Advertisement Behavior Stub vs Transit

Leave a comment

Hi,

While exploring certain knobs of OSPF I cam across overload bit.

When would you use OverloadBit ?

-> Your device has just started and you do not want traffic to pass through your device till all the protocols converge.

-> You are going into a Maintenance Window and want to auto-drain the traffic w.r.t IGP.

What does Overload-Bit do ?

-> Advertise Transit Networks with Max-Metric 0xFFFF 65535. Okay, I specifically said Transit Networks ? What about own loopbacks or connected Networks ? What is the behavior ? When do you call a connected Network stub / Transit ?

 

Lets see the below topology

topology_1

Lets have a quick look at Normal output and when configured with overload knob on r2 what it looks like on r3

 

1_normal_output_before 2_ospf_db_output_after_overload 3_r3_output_with_metric

Now, 9.9.27.0 network on r3 looks like having a metric of 2, hold that thought there as it is going to change now

 

4_looking_at_db

From the above, 9.9.27.0 network is mentioned as stub and going back to definition, anyone who is transit would get affected. What happens when i do peering over r2-r7, does the network 9.9.27.0 interface change from stub to transit, lets see how it gets altered.

 

5_final_output

The above image gives a Alteration in behavior when things change on R2. Hence the new metric for 9.9.27.0 network now is 6553x as it is treated as transit on Router-2

To make things simple any ospf routes from other neighbors will be sent out with highest-metric so that no other router will not use this routers path as the best one for forwarding traffic.

 

Regards

Rakesh M

 

 

Generated Route ! A Beauty with Policies

Leave a comment

Hi,

I have got couple of requests to write up on Generated Route concept. Generated Route is By far the Most Complex Topic that I felt when I was prepping for JNCIE-SP exam.

-> Generated Route and Aggregated Route are Almost Identical and only vary with Next-hops, while aggregate Route has always a NH-REJECT, Generated Route has a Valid NH.

-> Generated Route is installed as [aggregate/130] , so by default if you are referring it in policy, you need to call it from protocol Aggregate

The above Quotes are by far the General Ones, but digging deep, we got to understand the actual application of a Generated route.

Lets see the Below Topology First

toplogy

 

 

What is the ASK ?

Two ISP’s A & B are connected , ISP-A edge router has a loopback of 4.4.4.4/32 and ISP-B edge Router has a Loopback of 3.3.3.3/32 , we need to send Default route as long as we have connection with ISP-A then if Connection is lost to ISP-A , then ISP-B needs to be preferred.

 

Looks pretty easy and frankly can be done in multiple ways, but how do we do this via Generated Route concept ?

 

Lets Quickly check if we have OSPF relationship between SRX1 and SRX2 and Bgp between R3 and R4 exchanging their Loopbacks

output1

 

Lets see the OSPF policy , Generated-Route and Associated Route policy

output3

 

Policy Looks Good , Lets Examine the Route now

output4

 

NOW THE PROBLEM 

As we can see, the 0/0 route is preferring ISP-B instead of ISP-A 

 

When you closely Examine the Contributing Routes, 3.3.3.3/32 is installed well before 4.4.4.4/32 and the order continues there.

How do we make sure 4.4.4.4/32 is more preferred Contributing Route over 3.3.3.3/32 ?

Lets write up simple policy to modify the local preference for 3.3.3.3/32 route , so that it has less preference.  Note, 4.4.4.4/32 and 3.3.3.3/32 are not from same neighbors neither they have multiple exit points, The logic here is to increase the overall credibility of One Route over the Other

output5

 

Now that it is done, lets see if this worked, our 0/0 should prefer ISP-A and in the even if  ISP-A goes down, ISP-B should be preferred and when ISP-A returns ISP-A should be preferred Back

 

output6

 

output7

 

Lets check on SRX1 , if it receives the Route

output8

 

That explains all, Not only the route but there are many factors which influence the same.

 

Regards

Rakesh M

 

Older Entries