[JTips] Configure NTP server

 

JUNOS TIP: Keeping routers (and their log timestamps) synchronized with NTP, and the use of lo0-based routing engine protection firewall filters, are two best practices that are often deployed together.

Another one of NTP’s not-so-well-understood nuances is its need to use the 127.0.0.1 loopback address when communicating with the local daemon to obtain server association status. Make sure your protecting filters allow such traffic, or you’ll get an error rather than the expected status display.

Scenario: You have configured Junos for NTP, and while actual clock synchronization appears to be working fine, you note that the "show ntp associations" command is timing-out:

user@host# show ntp associations
localhost: timed out, nothing received
***Request timed out

The solution is to make sure your routing-engine protection filter permits internal communications with the ntp daemon:
[edit]
user@host# show firewall family inet filter ROUTER-ACCESS term NTP-REJECT
from {
  source-prefix-list {
    default-prefix;
    NTP-ROUTER-ACCESS except;
  }
  protocol udp;
  port ntp;
}
then {
  discard;
}

user@host# show policy-options prefix-list NTP-ROUTER-ACCESS
10.0.3.1/32;
10.0.3.99/32;

Modify the NTP-ROUTER-ACCESS prefix list to include the loopback address, like this:

[edit policy-options prefix-list ntp-router-access]
user@host# show | compare
+ 127.0.0.1/32;
user@host# run show ntp associations
remote refid st t when poll reach delay offset jitter
==========================================
*10.0.3.99 130.149.17.8 2 u 29 64 377 0.624 -0.427 0.280
+10.0.3.1 192.36.143.150 2 - 24 128 377 2.343 2.014 0.168

[JUNOS] Class of Service – Queuing and Scheduling

 

CoS Process

 

Why we need Queuing process and when we use it?

Queuing and scheduling control the prioritization of traffic flows

    <> Queue priority – which forwarding class (FC) gets more/less access to the outbound interface

    <> Transmission rate – how much bandwidth each FC gets.

    <> Delay buffer – how many packets can be held during congestion

    <> Congestion management – which flows get dropped during congestion.

 

[JUNOS] Class of Service – Policing

 

CoS Process

 

Why Policing?

Policing controls inbound traffic burstiness

   <> Defines what is considered ‘too much’ traffic

   <> Can be applied to an entire interface

   <> Can be applied to a specific traffic flow

   <> Traffic exceeding threshold can be dropped or given lower priority

 

JunOS have 3 type of policing

     1. Single-Rate Two-Color Marking

     2. Single-Rate Three-Color Marking

     3. Two-Rate Three-Color Marking

[JUNOS] Class of Service – Classification

 

CoS process

 

What is Classification?

Classifier assigns inbound traffic to forwarding classes

# can identify and separate traffic based on incoming packet’s header fields

     <> CoS bits

     <> Protocol, port, addresses, etc.

# Forwarding classes are linked to physical queues in the devices.

# Classifiers also specify loss priority (drop precedence)

     <> Used by policer and scheduler to help determine which traffic to drop under congestion

 

2 types of classification

  # Multifield (MF) classification

     <> Can separate incoming traffic based on packet header field. (ex: IP, ports number, etc)

     <> Configured using a firewall filter; apply to an interface/VLAN.

  # Behavior Aggregation (BA) classification

     <> Can separate incoming traffic based on CoS marking

     <> Configured using a “classifiers”; apply to an interface/VLAN.