Blog

No more doubt with LDP

Published by
January 16, 2015

This article will focus on the LDP protocol. Although this protocol is quite simple, I often had some doubts about some LDP Junos commands and behaviours. This is the aim of this new article:  clarify basic LDP stuffs.

To speak about LDP configuration on Junos, we will use this very simple and atypical topology. The IGP is OSPF (a single area) and LDP is activated only on physical interfaces.

ldp-1View article

Few things about screens

Published by
January 7, 2015

Screen functionality helps to protect the network against certain basic types of attacks and malicious traffic. As a bonus it can help to save precious system resources because it is evaluated in the very early stages of traffic processing sequence. Simply put when screens detect and block an attack the SRX does not have to perform the following and more intensive processing. Next, information and few tips about screens are presented that might be helpful when working with them.

View article

Winner takes it all: BGP route selection in Junos OS

Published by
October 6, 2014

In networks that use BGP as part of their routing protocols it is very important to understand how the BGP route selection works. BGP is an important part of the JNCIE exams so this information is also very useful for candidates preparing for any of the practical exams.

BGP route selection can be broken down into discrete steps so it then becomes easy to understand how you can influence the route selection with the appropriate attributes. So lets have a look at the algorithm used in Junos OS in a somewhat simplified form. For all detailed steps I refer to http://www.juniper.net/techpubs/en_US/junos13.1/topics/reference/general/routing-ptotocols-address-representation.html

Before we can start the actual BGP route selection the router needs to  make sure that the route is valid, so it checks for Martian routes, AS loops and next-hop reach-ability. The actual route selection steps are:

View article

Which area type do you prefer: Normal, Stub, Totally Stub, NSSA or Totally NSSA?

Published by
July 31, 2014

Anyone that ever studied OSPF was probably confused about all the different link-state advertisement types (LSA 1,2,3,4,5,7 etc) at some point in time. Equally confusing are all the possible area types. OSPF allows for 5 different area types, which provides flexibility in deployments but also introduces quite a bit of complexity.

In this blog post we will discuss the different area types, their general use and especially focus on the configuration intricacies of the “stubbie” area types.

RFC2328 defines area as: “OSPF allows collections of contiguous networks and hosts to be grouped together. Such a group, together with the routers having interfaces to any one of the included networks, is called an area”. Now isn’t this crystal clear 🙂

Lets say you have a network with 100 routers in it. You now have to make a design choice how to organize this network. The basic options when using OSPF are:
– Single area: all 100 routers share the same information
– Multiple area’s: split the 100 routers into multiple area’s, for example 4 area’s with each 25 nodes.View article

Troubleshooting SRX chassis cluster

Published by
June 26, 2014

SRX chassis cluster bundles two devices together to provide high-availability. The cluster nodes must be the same model, have the cards placed in the same slots and must run the same software version. In addition at least two interconnect links must be present (one control and one fabric link). In newer releases the SRX supports dual fabric (high-end and branch SRXs) and dual control links (high-end SRXs only). The ports used for fabric link are defined through configuration. The definition of the ports for the control link on the other hand is not so flexible. The high-end SRXs (1000 and 3000 series) have dedicated ports for that and the 5000 series uses the ports on the SPC cards. On the branch SRX devices revenue ports (fixed ones) are converted to control ports.

View article

Who needs dynamic routing? Static routing and other settings from [edit routing-options]

Published by
June 1, 2014

In my recent training sessions I noticed that intermediate and even advanced users of JUNOS struggled with some of the basics of routing on Juniper devices. Of course they know how to create a static route with the basic settings, and maybe even how to create a aggregate route for summarization with BGP or ISIS/OSPF. But they are not familiar with some of the more esoteric settings that are possible in the [edit routing-options] hierarchy.

In this post I’ll discuss the following topics as they are useful for both network engineers and JNCIE candidates.

1. Static routes
2. Aggregate routes
3. Generate routes

View article

VPLS signaling options

Published by
May 5, 2014

In this article we will explain the several protocols and Junos configurations that can be used to design a simple VPLS domain. We will also provide some troubleshooting commands and some recommendations.

The topology for the different scenarios covered is depicted below:

vpls-topo1

As you can see, we want to interconnect 3 CEs (in grey) in a VPLS architecture. Each CE is connected via a VLAN to a dedicated PE. The core network is made of P routers that only have ISIS and LDP enabled. A Route Reflector is in charge of distributing BGP NLRI between the PEs.

We will cover different scenarios, but each time the result should be the same: the 3 CE can communicate between each other. The 3 CE are in the same subnet (192.168.1.0/24)

View article

Troubleshooting SRX security policies

Published by
April 7, 2014

Security policies are one of the biggest tasks when working with firewalls. They define how the device handles traffic, whether it lets it through, make it subject to deeper analysis (IDP, AppFW, UTM, etc.) or denies it. It is essential to know the available troubleshooting options and how to use them.

Lets start with short security policies theory recap.

Three categories of security policies exist:

  1. regular – defined in a zone context (from-zone to-zone). They are unidirectional and evaluated as first.
  2. global – defined without a zone context and applied to any traffic not handled by regular policies.
  3. default – the action applied when traffic did not match any regular or global policies. The default “deny” can be changed to “permit” through explicit configuration.

View article

To summarize or not to summarize that’s the question? Tools to summarize or filter routes in an OSPF domain

Published by
March 17, 2014

For any OSPF network engineer, and JNCIE candidates, it is crucial to understand the tools to improve the scalability and stability of the OSPF domain. As with any routing protocol the main instrument for this is some form of summarization and/or filtering. By limited sharing of details between different parts of the OSPF domain any instabilities can be hidden, resulting in less CPU and memory usage on the router RE’s.

OSPF has a few restrictions on where you can summarize and/or filter routes in the network.Within an area summarization is not allowed as all routers need to share the same database in an area. A somewhat general rule is that OSPF only can summarize when route / LSA conversion is taking place. For internal routes this is done on the ABR when converting intra-area route information (type 1 and 2) into inter-area route information (type 3). For external routes this is done at redistribution ASBR’s when non-OSPF route information is converted into External OSPF route information (type 5 or 7), as well as on nssa area ABR’s when converting NSSA External route information (type 7) into External route information (type 5).

For OSPF with Junos the following options exist:
1. Inter-area internal LSA summarization and filtering on the ABR using area-range command
2. Inter-area internal LSA filtering on the ABR using the network-summary-import/export policies
3. External route summarization and filtering on the ASBR using aggregate routes and export policies
4. Inter-area NSSA external route summarization and filtering on the NSSA ABR using nssa area-range command.
5. Route-table filtering of external routes using import policies

For Stub and NSSA area’s normally some form of default routes are also configured for reach-ability which is also a form of summarization. A 0/0 route is the ultimate form of summarization. The Stub and NSSA area intricacies will be part of different blog post in the future so this will not be covered here.

View article

BGP over IPSEC VPN

Published by
March 5, 2014

This post presents how to configure BGP as routing protocol over an IPSEC hub and spoke VPN.

The requirements:

The following diagram depicts the network architecture:

BGPIPSEC-1-2

View article