Sunday 4 November 2012

[JTips] Configure NTP server

 

JUNOS TIP: Keeping routers (and their log timestamps) synchronized with NTP, and the use of lo0-based routing engine protection firewall filters, are two best practices that are often deployed together.


Another one of NTP’s not-so-well-understood nuances is its need to use the 127.0.0.1 loopback address when communicating with the local daemon to obtain server association status. Make sure your protecting filters allow such traffic, or you’ll get an error rather than the expected status display.


Scenario: You have configured Junos for NTP, and while actual clock synchronization appears to be working fine, you note that the "show ntp associations" command is timing-out:


user@host# show ntp associations
localhost: timed out, nothing received
***Request timed out

The solution is to make sure your routing-engine protection filter permits internal communications with the ntp daemon:
[edit]
user@host# show firewall family inet filter ROUTER-ACCESS term NTP-REJECT
from {
  source-prefix-list {
    default-prefix;
    NTP-ROUTER-ACCESS except;
  }
  protocol udp;
  port ntp;
}
then {
  discard;
}

user@host# show policy-options prefix-list NTP-ROUTER-ACCESS
10.0.3.1/32;
10.0.3.99/32;

Modify the NTP-ROUTER-ACCESS prefix list to include the loopback address, like this:

[edit policy-options prefix-list ntp-router-access]
user@host# show | compare

+ 127.0.0.1/32;
user@host# run show ntp associations
remote refid st t when poll reach delay offset jitter
==========================================
*10.0.3.99 130.149.17.8 2 u 29 64 377 0.624 -0.427 0.280
+10.0.3.1 192.36.143.150 2 - 24 128 377 2.343 2.014 0.168

Thursday 1 November 2012

[JUNOS] Class of Service – Queuing and Scheduling

 

CoS Process

[image_thumb%255B3%255D%255B3%255D.png]

 

image

Why we need Queuing process and when we use it?

Queuing and scheduling control the prioritization of traffic flows

    <> Queue priority – which forwarding class (FC) gets more/less access to the outbound interface

    <> Transmission rate – how much bandwidth each FC gets.

    <> Delay buffer – how many packets can be held during congestion

    <> Congestion management – which flows get dropped during congestion.

 

image

[JUNOS] Class of Service – Policing

 

CoS Process

image_thumb[3]

 

image

image

Why Policing?

Policing controls inbound traffic burstiness

   <> Defines what is considered ‘too much’ traffic

   <> Can be applied to an entire interface

   <> Can be applied to a specific traffic flow

   <> Traffic exceeding threshold can be dropped or given lower priority

 

JunOS have 3 type of policing

     1. Single-Rate Two-Color Marking

     2. Single-Rate Three-Color Marking

     3. Two-Rate Three-Color Marking

[JUNOS] Class of Service – Classification

 

CoS process

image

 

image

What is Classification?

image

Classifier assigns inbound traffic to forwarding classes

# can identify and separate traffic based on incoming packet’s header fields

     <> CoS bits

     <> Protocol, port, addresses, etc.

# Forwarding classes are linked to physical queues in the devices.

# Classifiers also specify loss priority (drop precedence)

     <> Used by policer and scheduler to help determine which traffic to drop under congestion

 

2 types of classification

  # Multifield (MF) classification

     <> Can separate incoming traffic based on packet header field. (ex: IP, ports number, etc)

     <> Configured using a firewall filter; apply to an interface/VLAN.

  # Behavior Aggregation (BA) classification

     <> Can separate incoming traffic based on CoS marking

     <> Configured using a “classifiers”; apply to an interface/VLAN.

Wednesday 31 October 2012

[JTips] Disable ''Auto-negotiation'' on JUNOS

If ''Auto-negotiation" configured on GE interfaces can cause packet loss on both sides, and the FIFO error statistics are increasing, as shown 

lab@router> show interfaces extensive ge-0/0/0 
Physical interface: ge-0/0/0, Enabled, Physical link is Up
Interface index: 128, SNMP ifIndex: 79, Generation: 11
Description: coloc uplink
Link-level type: Ethernet, MTU: 1518, Speed: 100mbps, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled
<...>
  MAC statistics:                      Receive         Transmit
    Total octets                       5473299         96564932
    Total packets                       112044              398
    Unicast packets                     888990           696389
    Broadcast packets                   158996           401151
    Multicast packets                    64059             4121
    CRC/Align errors                         0                0
  
FIFO errors                              0            43518
    MAC control frames                       0                0
    MAC pause frames                         0                0
    Oversized frames                         0
    Jabber frames                            0
    Fragment frames                          0
    VLAN tagged frames                       0
    Code violations                          0

At the same time, the GE auto-negotiation status is "Incomplete" or "No-autonegotiation":

Autonegotiation information:
      Negotiation status: No-autonegotiation, Link partner status: Ok, Link partner: Unknown, Flow control: None

Disable auto-negotiation for GE interfaces:

[edit interfaces ge-0/0/0]
root@LAB# show
gigether-options {
    no-auto-negotiation;
}
unit 0 {
    family inet {
        address 192.168.1.1/24;
    }
}

Sunday 21 October 2012

[ScreenOS] vs [JunOS]

ScreenOS

JUNOS

Notes

Session & Interface counters

   

get session

> show security flow session

 

get interface

> show interface terse

 

get counter stat
get counter stat <interface>

> show interface extensive
> show interface <interface> extensive

 

clear counter stat

> clear interface statistics <interface>

 

Debug & Snoop

   

debug flow basic

# edit security flow
# set traceoptions flag basic-datapath
# commit

-creates debugs in default file name: /var/log/security-trace

See KB16108 for traceoptions info.

set ff

# edit security flow
# set traceoptions packet-filter

Packet-drop is a feature that will be added

get ff

> show configuration | match packet-filter | display set

 

get debug

> show configuration | match traceoptions | display set

 

get db stream

View stored log: (recommended option)
> show log <file name> (enter h to see help options)
> show log security-trace (to view 'security flow' debugs)
> show log kmd (to view 'security ike' debugs)

View real-time: (use this option with caution)
> monitor start <debugfilename>
ESC-Q (to pause real-time output to screen)

‘monitor stop' stops real-time view , but debugs are still collected in log files

clear db

> clear log <filename> (clears contents of file)

Use ‘file delete <filename> to actually delete file>

undebug <debug> (stops collecting debugs)

# edit security flow
# deactivate traceoptions OR # delete traceoptions (at the particular hierarchy)
# commit

Deactivate makes it easier to enable/disable.

Use activate traceoptions to activate.

undebug all

Not available. You need to deactivate or delete traceoptions separately.

 

debug ike detail

# edit security ike
# set traceoptions flag ike
# commit

-creates debugs in default file name: kmd

snoop (packets THRU the JUNOS device)

Use Packet Capture feature:http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-admin-guide/config-pcap-chapter.html#config-pcap-chapter

- Not supported on SRX 3x00/5x00 yet

snoop (packets TO the JUNOS device)

> monitor traffic interface <int> layer2-headers
write-file option (hidden)
read-file (hidden)

-Only captures traffic destined for the RE of router itself.

- Excludes PING .

Event Logs

   

get event

> show log messages
> show log messages | last 20 (helpful cmd because newest log entries are at end of file)

 

get event | include <string>

> show log messages | match <string>
> show log messages | match “<string> | <string> | <string>”
Examples:
> show log messages | match “error | kernel | panic”
> show log messages | last 20 | find error

Note: There is not an equivalent command for ‘get event include <string>'.

match
displays only the lines that contains the string

find
displays output starting from the first occurrence of the string

clear event

> clear log messages

 
 

> show log

 

Config & Software upgrade

   

get config

> show config (program structured format)
> show config | display set (set command format)

 

get license

> show system license keys

 

get chassis (serial numbers)

> show chassis hardware detail

> show chas environment
> show chas routing-engine

exec license

> request system license [add | delete |save]

 

unset all

reset

load factory-default
set system root-authentication plain-text-passsword
commit and-quit
request system reboot

See KB15725.

load config from tftp <tftp_server> <configfile>

> start shell and FTP config to router, i.e. /var/tmp/test.cfg. Then
# load override /var/tmp/test.cfg (or full path of config file)

-TFTP is not supported. Use only FTP, HTTP, or SCP.

load software from tftp <tftp_server> <screenosimage> to flash

> request system software add
Example:
request system software add ftp:10.10.10.129/jsr/junos-srxsme-9.5R1.8-domestic.tgz reboot

-TFTP is not supported. Use only FTP. HTTP, or SCP.
-Use ‘request system software rollback' to rollback to previous s/w package

See KB16652.

save

# commit OR
# commit and-quit

 

reset

> request system reboot

 

Policy

   

get policy

> show security policies

 

get policy from <zone> to <zone>

> show security policies from <zone> to <zone>

 

VPN

   

get ike cookie

> show security ike security-associations

 

get sa

> show security ipsec security-associations

> show security ipsec stat

clear ike cookie

> clear security ike security-associations

 

clear sa

> clear security ipsec security-associations

 

NSRP

   

get nsrp

> show chassis cluster status
> show chassis cluster interfaces
> show chassis cluster status redundancy-group <group>

 

exec nsrp vsd <vsd> mode backup (on master) see KB5885

> request chassis cluster failover redundancy-group <group> node <node>

 
 

> request chassis cluster failover reset redundancy-group <group>

 

DHCP

   

get dhcp client

> show system services dhcp client

See KB15753.

exec dhcp client <int> renew

> request system services dhcp renew (or release)

 

Routing

   

get route

> show route

 

get route ip <ipaddress>

> show route <ipaddress>

 

get vr untrust-vr route

> show route instance untrust-vr

 

get ospf nei

> show ospf neighbor

 

set route 0.0.0.0/0 interface <int> gateway <ip>

# set routing-options static route 0.0.0.0/0 next-hop <ip>

See KB16572.

NAT

   

get vip

> show security nat destination-nat summary

 

get mip

> show security nat static-nat summary

 

get dip

> show security nat source-nat summary
> show security nat source-nat pool <pool>

 

Other

   

get perf cpu

> show chassis routing-engine

 

get net-pak s

> show system buffers

 

get file

> show system storage

 

get alg

> show configuration groups junos-defaults applications

All pre-defined applications are located within the hidden group junos-defaults. If any ALGs are applied to the pre-defined applications, they will also be displayed with this command.

get service

> show configuration groups junos-defaults applications

 

get tech

> request support information

 

set console page 0

> set cli screen-length 0

 
     
 

> file list <path>
Example: file list /var/tmp/

Shows directory listing.
Note that / is needed at end of path

     
 

#  =  configuration mode prompt

 
 

=  operational mode prompt

 

Sunday 30 September 2012

How to hide configuration?


JUNOS TIP: An often forgotten or unnoticed Junos tip is that you can hide common pieces of configuration in everyday use by setting apply-flags omit in the hierarchy you want to omit, like so:

[edit]
user@device# set system apply-flags omit

[edit]
user@device# show
## Last changed: 2011-05-02 17:24:51 UTC
version 10.3R1.9;
system { /* OMITTED */ };
logical-systems {
[...]

After committing, a show system in configuration mode will still show the whole stanza and editing works just as it usually does:

[edit]
user@device# show system
apply-flags omit;
host-name device;
root-authentication {
encrypted-password "$1$KI99zGk6$MbYFuBbpLffu9tn2.sI7l1"; ## SECRET-DATA
[...]

Use show | display omit in the top of configuration to show the entire configuration without omitting sections:

[edit]
user@device# show | display omit
## Last changed: 2011-05-02 17:24:51 UTC
version 10.3R1.9;
system {
apply-flags omit;
host-name device;
root-authentication {
encrypted-password "$1$KI99zGk6$MbYFuBbpLffu9tn2.sI7l1"; ## SECRET-DATA
[...]

This tip is useful for hiding long, uninteresting, static pieces of various configurations.