jncia jncia - you use the resolve statement after the static route to tell the router that

t the next hop is not directly - primary address on an intergace used to - it is the address used by the default as the local address for broadcast and multicast packet sourced locally and sent out of the interface - it can be useful for selecting the local address used for packets sent out of the unnumbered interfaces when multiple non-127 addresses are configured on the loopback interface - show route forwarding-table is used to see the forwarding table - forwarding table is used to forward transit packets - forwarding table contains only active routes - benefits of - can - can - can class of service control congestion prioritize traffic allocate b/w for diff classes connected

- SNMP,DNS & TFTP use UDP - root account is used to access a junos device in factory default config - a route can be hidden because of - invalid next hop - routing policy - Every policy must contain atleast one term - With multifield classifiers, you set the forwarding class and loss priority of a packet based on firewall filter rules. - a multifield classifier can examine multiple fields in the packetfor example, the source and destination address of the packet or the source and destination port numbers of the packet - classifiers are always applied in sequential order, the BA classifier followed by the MF classifier, any BA classification result is overridden by an MF classifier, if they conflict. - A behavior aggregate (BA) classifier operates on a packet as it enters the device. - Using behavior aggregate classifiers, the device aggregates different types of traffic into a single forwarding class to receive the same forwarding treatment. The CoS value in the packet header is the single field

that determines the CoS settings applied to the packet. Page 1

jncia - Behavior aggregate classifiers allow you to set the forwarding class and loss priority of a packet based on the Differentiated Services (DiffServ) code point (DSCP) value, DSCP IPv4 value, DSCP IPv6 value, IP precedence value, MPLS EXP bits, or IEEE 802.1p value. - The default classifier is based on the IP precedence value. ref:http://www.juniper.net/techpubs/software/junossecurity/junos-security10.2/junos-security-swconfig-class-ofservice/junos-cos-comp-section.html - JUNOS Software performs BA classification for a packet by examining its layer 2, layer 3, and CoS-related parameters - if source/destination (ip address or port numeber) is used the its a multifield classifier - if the Differentiated Services (DiffServ) code point (DSCP) value, DSCP IPv4 value, DSCP IPv6 value, IP precedence value, MPLS EXP bits, or IEEE 802.1p value, used to classify, then it behavior aggregate - the default preference value can be changed (under the edit protocols field) in the bgp and ospf routing informaiton source - each process in Junos os has its own protected routing space - show system storage will show us the amount of space available on the storage media - root authentication must be configured prior to the first commit after factory defaults are loaded - Rescue configuration - is created by request "system configuration rescue save" command and it must include a root password - set date ntp 78.46.194.186 - synchronize to an ntp server - save /var/tmp/current.conf will save the current candidate configuration to the permanent storage media - % - shows a unix shell prompt - maintain tab in the jweb is used to add license to the device - tcpdump is used in junos to monitor traffic - OSPF area id and prefix list are two valid match criteria for a routing policy - show | display set| save /var/tmp/current.conf will save Page 2

jncia the current candidate config in a set format to a permanent storage media - if you want to ping a host with an interface that isnt the next hop in the routing table or has no route through that interface then use the bypass-routing keyword - the default protocol preference for ospf internal routes is 10 - the default protocol preference for ospf external routes is 150 - Input filters applied to the loopback interface, lo0, affect only inbound traffic destined for the Routing Engine. ssh http and telnet traffic is routed to the RE. ref: http://www.juniper.net/techpubs/software/junos/junos94/swconfi g-policy/applying-firewall-filters-to-interfaces.html - cli command is used to go from the shell prompt to the cli prompt - default import routing for ospf - accept all OPSF routes and install them into the inet.0 routing table - The default export routing policy for RIP is to accept no routes - export policies can evaluate only active routes - export policies can be applied to the forwarding table - save current.config will save the file to /var/home/user/ - during password recovery the step after configuring the system to boot into single-user mode is to type recovery - system permission and super user permission allow a user to view the system hierarchy of the active configuration - the default permission for SNMP in juniper devices is READ only - after logging into the router as root you need to give the cli command to make changes - you can configure the router to send log messages to the console - (syslog on Junos)

- show system boot-messages is used to check the messages during the system boot - show system alarms is used to check the active alarms on the system - in case of a collision both devices send a jam signal on Page 3

jncia the wire to notify other devices about the collision - in case of collision both devices stop transmitting and wait for a random period of time,verify the wire is idle and re-transmit - monitor interface <interface name> gives you the real time interface usage for a device. - the two valid actions for a routing policy are - next policy - accept - reject (not discard) =================== Route Policy =================== - To move routes from one protocol into another, a policy is again required. i.e. redistribution is done through route policy - we can use a routing policy when we want to alter the default behavior of a protocol. In fact, you are right. With a policy, you can modify or ignore routes that are advertised to you as well as routes that you advertise to other neighbors - All active routes in the routing table are evaluated individually against all applied routing policies. The policies are evaluated in order of application in a daisy-chain fashion called a policy chain . A route will proceed through each policy until a match is found for that route. In addition, the matching policy must also contain a terminating action . - each policy contains three possible results:


accept


reject


next policy An example of a policy ====================== policy-options { policy-statement policy-name { from { match-conditions; } then { actions; } } } - the policy is broken into the two sections we have been Page 4

jncia discussing. There are match conditions and there are actions. - policy names are case sensitive - These policy sections are called terms. Within their policy, they are evaluated in a similar daisy-chain fashion like a policy chain. One benefit of this approach is that the same logic used to build the policy chain is used to build a multiterm policy. - a single policy with multiple match conditions and actions can be applied to a protocol - policy-options { policy-statement policy-name { term term-name { from { match-conditions ; } then { actions ; } } term term-name { from { match-conditions; } then { actions; } } } } multiterm policy - if you dont use a multiterm policy then it will become a head ache to later modidy the policy, you'll have to delete the whole policy and rewite it again, but in case of multiterm policy you can add the term, - new terms are always added at the end of the policy(just like acls), now if you want to put it in a certain place then use the insert command to do so. - if you dont use terms then you can only have a from and then statement - It is worth emphasizing that a routing policy in the JUNOS software will evaluate only active routes in the routing table. All inactive routes located in the table will not be

evaluated by a policy. - a then statement is mandatory in a term - if a term does not contain a from statement , all routes are matched Page 5

jncia - Match Condition Description area area-id Used in an export policy to identify routes learned from a particular area. (OSPF only) as-path name Identifies routes with the named AS Path. (BGP only) community [names] Identifies routes with the named community assigned. (BGP only) level level Used in an export policy to identify routes that are coming from a particular level. (IS-IS only) local-preference value Identifies the Local Preference value of BGP routes. (BGP only) metric metric Identifies routes with the specified metric. For BGP, the metric action identifies the MED route attribute. neighbor address Identifies the neighbor from which a route was learned. next-hop address Identifies routes with the specified physical next-hop address. For BGP routes, it identifies the BGP protocol next hop. origin value Identifies the BGP Origin attribute. (BGP only) preference preference Identifies routes with the specified preference. protocol protocol Identifies how the router learned the route. Possible options include: aggregate, bgp, direct, isis, ospf, rip, or static. rib routing-table Identifies the routing table where routes are located. reference: page 159 - JNCIA book - The protocol match condition is another widely used match criterion. This criterion essentially means, How did the route get placed into the routing table? - important - the protocol aggregate match criterion may not initially make sense. After all, aggregate routes are not found using a routing protocolthey are locally configured on the router. Just keep in mind that all routes in the routing table are assigned a protocol, as we discussed in Chapter 3. The protocol match condition looks for those assigned values only. - you can specify multiple criteria for the "FROM" statement as well, like bgp neighbor id and its med value example policy-options { policy-statement bgp-import { term coming-from-neighborA { from { neighbor 1.1.1.1; metric 10; } then accept; } term deny-other-neighborA { from neighbor 1.1.1.1; Page 6

jncia then reject; } } } - the way to match against a particular route in the table is to use the route filter statement - to find a specific route, we use the route-filter statement route-filter prefix/prefix-length match-type actions; the match type could be anything from a longer/orlonger/exact/upto/prefix-length-range/through detail on page 165-166 - JNCIA route-filter route-filter route-filter route-filter route-filter route-filter 192.168.0.0/16 192.168.0.0/16 192.168.0.0/16 192.168.0.0/16 192.168.0.0/16 192.168.0.0/16 through 192.168.128.0/19; upto /18; longer; orlonger; exact; prefix-length-range /17-/18;

===================end of policy============= - route filter is a single prefix that can be configured within a policy - md5 based authentication for ntp is supported by junos software - all platforms running junos os use the same source code base - udp protocol has limited error check mechanism and no recovery mechanism - activate interface ge-1/0/0 will enable an admin down interface(ge-1/0/0 in this case) - the junos os uses the local router user database as a last resort to authenticate users - you can see the contents of the log file by entering the show log <filename> command - the file name and set of flags maybe specified when enabling trace options - the network permission will allow a user to use the telnet utility - ip add, protocol num and port num can be used as valid match criteria in a firewall filter applied to a layer 3 interface. - you have to do the following steps to recover a root password - reboot the device - run the recovery script - reset the root password - a system log is generated confirming the transfer attempt, Page 7

jncia - SNMP TRAP CONFIGURATION set snmp trap-group <name of group> targets 172.16.17.1 set snmp trap-group <name of group> categories link - physical properties of an interface are as follows - description - encapsulation - frame check sequence - interface mtu - keep alives - payload scrambling - Logical properties of an interface are as follows - protocol families - protocol address - protocol mtu - the forwarding plane implements policiers stateless firewall filters and class of service - monitor traffic write-file traffic101 - will write the

monitor traffic to a file named "traffic101" - 128 milli sec is the max time difference to be considered synchronized. - the number of forwarding table instances vary with devices - set vlan-tagging under [edit interfaces ge-1/1/1] will configure the 802.1q protocol on a gigabit ethernet - dual routing engines running the same software release with graceful routing engine switchover enabled will allow for an issu - "request system halt" shut downs a router - show chassis environment is used to show components and environment status - destinations that are active and passed from the routing table are populated into the forwarding table - set system radius-server 10.10.10.10 secret useme - top set system authentication-order radius - import policies evaluate routes after they have been received from another route - permissions [view-configuration clear network view]; allow-configuration"(interfaces)|(routing-options)| (protocols)" - request system storage cleanup dry-run will show you the files which are cleanup candidate

- RED is associated with scheduling - all the rescue commands begin with a request system syntex, request system configuration rescue delete will delete the rescue config Page 8

jncia Page 9

jncia Page 10

jncia Page 11

jncia Page 12

jncia Page 13

jncia Page 14

jncia Page 15

jncia -

Page 16