Tag: <span>Juniper</span>

Scenario:2 physical interfaces bundled together (port-channel) and associated in the same vlan. Tested in:Cisco NexusJuniper EX Series Steps Cisco Juniper Configure 2 physical interfaces interface Ethernet1/1description Server Link#1switchportswitchport access vlan 888channel-group 99 mode activeno shutdown interface Ethernet2/1description Server Link#2switchportswitchport access vlan 888channel-group 99 mode activeno shutdown #set interfaces xe-0/0/0 description ” Server Link#1 “#set interfaces xe-0/0/0 gigether-options 802.3ad ae99 #set interfaces xe-1/0/0 description ” Server Link#2 “#set interfaces xe-1/0/0 gigether-options 802.3ad ae99 Configure the port-channel interface port-channel99description Server Port-channelswitchportswitchport access…

Cisco Juniper

This is a sample steps of migrating IP configuration from physical interface to bundle interface. Take note that this may result service impact during the migration as the existing interface need to be shutdown and re-configure. Remember to shift your traffic prior with the maintenance. Existing Config: freenetwork@MX1-re0> show configuration interfaces et-0/0/1 description “Link to Switch1”; unit 0 { family inet { address 192.168.0.1/24; } family inet6 { address fdf8:d3f5:1a47:bc09::1/64; } Fig.1 Shutdown the physical interface and remove existing configuration…

Juniper

uRPF or Unicast Reverse Path Forwarding is a security feature/tool that help verifies reachability of source address in packets being forwarded. It can prevents malicious and spoofing attacks as it will perform forwarding table lookup on the source IP address. – it as defined in RFC3704 – it follows RFC2827 for ingress filtering. –  it relies on the CEF (Cisco Express Forwarding) or FIB table to perform lookups. – preferably implemented at the network edge facing internet, customers and servers…

Juniper

These are the some commands being used when performing network change or maintenance, depending on the features or services being run in the network. Typically, this is very useful in verification, troubleshooting and comparison between before and after the change. #Log Time set cli timestamp set cli screen-width 200 show ntp associations no-resolve | no-more show ntp status no-resolve | no-more ## Hardware Status show chassis hardware | no-more show chassis hardware clei-models | no-more show chassis hardware detail |…

Juniper

It is recommended to implement the separation of management and data/customer traffic in your Juniper devices (e.g. QFX Series Switches, MX Series).  Traffic passing through the management plane should be exclusively for management or administrative access purposes only like SSH, SNMP, NTP and AAA. Here’s the recommended configuration or practices for these management services. Configure Authentication, Authorization and Accounting (AAA) -preferably to setup centralized TACACS+ to manage all your devices, implement central network management that can impose security protocol to…

Juniper

As mentioned from the previous post, Bogon prefixes or routes should never appear in the Internet routing table. Network Engineers should implement “Best Practices” in their network, that includes filtering of bogons as it maybe used in DDoS attacks or Spams. Refer to https://freenetworktutorials.com/ipv4-and-ipv6-bogon-address-list  for more info. “Martians” bogons may changed occasionally so at least make sure private address mentioned in https://freenetworktutorials.com/ipv4-classful-and-reserved-addresses are filtered so it wont leak out into the Internet. Here is sample steps and configuration. (This is the equivalent configuration…

Juniper

In routing world, Administrative Distance refers to the reliability of the routing protocol. It is equivalent to Juniper’s Route Preference and Huawei’s Preference. It is important to consider these values as in the scenario that there are multiple routes to a destination (with same prefix length), the route (learned via the routing protocol) with the lowest value is preferred. Table below will show the values for respective platform.   Routing Protocol Cisco(AD) Juniper (RP) Huawei(P) Connected Interface 0 0 0…

Networking

Static Route Configuration Examples in Juniper for BGP aggregated prefix advertisements In order to advertise the aggregated routes (and default routes) via BGP, it should exists in the routing table, that’s the #1 rule. If these summarized routes (/16) are not existing and only smaller subnets are learned via the IGP(e.g. OSPF,IS-IS), then configure static route and next hop e.g. Null0. Configuration: routing-options { graceful-restart; rib inet6.0 { static { route fd41:c8be:2153:f400::/64 discard; route ::0/0 { discard; no-install; static {…

Juniper

Originating BGP advertisement can be configured to any iBGP peer router. Here’s the sample configuration of originating BGP routes and community tagging in Juniper. Assuming these are the summarized prefixes that you want to advertise via BGP. 111.111.0.0/16 222.222.0.0/16 Configuration: routing-options { graceful-restart; router-id 1.1.1.1; autonomous-system 11111; protocols { bgp { group RR-IBGP { type internal; description RR-IPv4; local-address 192.168.100.6; family inet { unicast; } authentication-key “$1$N3tBioBwfdFsFVwgoGDh.3C0oL”; ## SECRET-DATA export bgp-statement; neighbor 192.168.100.5 { description iBGP to Route Reflector; }…

Juniper

Here’s some Best practices that you can implement in Juniper devices in securing your SSH. 1.Remote access should be via SSH and telnet is disabled delete system services telnet   2. SSH should be version 2 or higher. Do not run v1 set system services ssh protocol-version v2   3. Configure Login Banner set system login message “\n*************************************************************************\n       UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\n\nYou must have explicit, authorized permission to access or configure this \ndevice.Unauthorized attempts and…

Juniper