Tag: <span>Juniper</span>

These are the some commands being used when performing network change or maintenance, depending on the features or services being run in the network. Typically, this is very useful in verification, troubleshooting and comparison between before and after the change. #Log Time set cli timestamp set cli screen-width 200 show ntp associations no-resolve | no-more show ntp status no-resolve | no-more ## Hardware Status show chassis hardware | no-more show chassis hardware clei-models | no-more show chassis hardware detail |…

Juniper

It is recommended to implement the separation of management and data/customer traffic in your Juniper devices (e.g. QFX Series Switches, MX Series).  Traffic passing through the management plane should be exclusively for management or administrative access purposes only like SSH, SNMP, NTP and AAA. Here’s the recommended configuration or practices for these management services. Configure Authentication, Authorization and Accounting (AAA) -preferably to setup centralized TACACS+ to manage all your devices, implement central network management that can impose security protocol to…

Juniper

As mentioned from the previous post, Bogon prefixes or routes should never appear in the Internet routing table. Network Engineers should implement “Best Practices” in their network, that includes filtering of bogons as it maybe used in DDoS attacks or Spams. Refer to https://freenetworktutorials.com/ipv4-and-ipv6-bogon-address-list  for more info. “Martians” bogons may changed occasionally so at least make sure private address mentioned in https://freenetworktutorials.com/ipv4-classful-and-reserved-addresses are filtered so it wont leak out into the Internet. Here is sample steps and configuration. (This is the equivalent configuration…

Juniper

In routing world, Administrative Distance refers to the reliability of the routing protocol. It is equivalent to Juniper’s Route Preference and Huawei’s Preference. It is important to consider these values as in the scenario that there are multiple routes to a destination (with same prefix length), the route (learned via the routing protocol) with the lowest value is preferred. Table below will show the values for respective platform.   Routing Protocol Cisco(AD) Juniper (RP) Huawei(P) Connected Interface 0 0 0…

Networking

Static Route Configuration Examples in Juniper for BGP aggregated prefix advertisements In order to advertise the aggregated routes (and default routes) via BGP, it should exists in the routing table, that’s the #1 rule. If these summarized routes (/16) are not existing and only smaller subnets are learned via the IGP(e.g. OSPF,IS-IS), then configure static route and next hop e.g. Null0. Configuration: routing-options { graceful-restart; rib inet6.0 { static { route fd41:c8be:2153:f400::/64 discard; route ::0/0 { discard; no-install; static {…

Juniper

Originating BGP advertisement can be configured to any iBGP peer router. Here’s the sample configuration of originating BGP routes and community tagging in Juniper. Assuming these are the summarized prefixes that you want to advertise via BGP. 111.111.0.0/16 222.222.0.0/16 Configuration: routing-options { graceful-restart; router-id 1.1.1.1; autonomous-system 11111; protocols { bgp { group RR-IBGP { type internal; description RR-IPv4; local-address 192.168.100.6; family inet { unicast; } authentication-key “$1$N3tBioBwfdFsFVwgoGDh.3C0oL”; ## SECRET-DATA export bgp-statement; neighbor 192.168.100.5 { description iBGP to Route Reflector; }…

Juniper

Here’s some Best practices that you can implement in Juniper devices in securing your SSH. 1.Remote access should be via SSH and telnet is disabled delete system services telnet   2. SSH should be version 2 or higher. Do not run v1 set system services ssh protocol-version v2   3. Configure Login Banner set system login message “\n*************************************************************************\n       UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED\n\nYou must have explicit, authorized permission to access or configure this \ndevice.Unauthorized attempts and…

Juniper

The “traceoptions” statement in Juniper let you debug BGP protocol issues. If cannot connect BGP peering, you can set the “traceoptions” to understand further about the issue. 1. Configure “traceoptions” and name the log as debug-bgp set protocols bgp group BGP-GROUP1 traceoptions file debug-bgp set protocols bgp group BGP-GROUP1traceoptions file size 1m set protocols bgp group BGP-GROUP1 traceoptions file files 2 set protocols bgp group BGP-GROUP1 traceoptions flag all commit where: max trace file size = 1m max trace files…

Juniper

Configuration: IPv4: Route the block (1.1.1.0/24) to next hop  2.2.2.1 with metric 255 user@MX-re0>configure #set routing-options static route 1.1.1.0/24 next-hop 2.2.2.1 #set routing-options static route 1.1.1.0/24 metric 255 Optional: Set comment using annotate command #edit routing-options static #annotate route  1.1.1.0/24  “/* STATIC ROUTE IPv4*/” Commit #commit It will look something like this: user@MX-re0>> show configuration routing-options static /* STATIC ROUTE IPv4*/ route 1.1.1.0/24  {     next-hop 2.2.2.1;     metric 255; IPv6: Route the block (2000:2000:2000::/56 ) to next hop 2006:3006:1:234:5:6:78:90ab with metric…

Juniper

100G transceivers have been around for few years already and it is getting affordable since 2016 I guess, and it is now practical to shift to 100G instead of burning N x 10GEs.  To see more info about 100G transmission principles, I find this link very informative -> https://community.fs.com/blog/understand-100g-transceivers-transmission-principles.html Here are sample 100G transceivers we deployed in our datacenters, it really depends on what type of vendor or hardware you have, but the most popular now is the QSFPs Juniper QSFP-100GBASE-LR4…

Networking