JUNOS - Study guide – Summary

Chapter 1: Junos OS fundamentals

Robust, modular & scalable
 Multiple software processes
 Each process:
o Portion of the device’s functionality
o Own protected memory space --> can’t interfere with another
o New feature can be added with less likelihood of breaking current functionality
 The kernel is based on the FreeBSD Unix OS

Single source code base

 Ensures that core features work in a consistent manner across all platforms running the Junos OS
 Setup tasks and ongoing maintenance and operation within your network are simplified

Separate control & forwarding plane

 Processes that control routing and switching protocols are cleanly separated from the processes
that forward frames, packets or both through the device running Junos OS
o Maximum performance and reliability
 Control plane
o Runs on the routing engine (RE)
 Brains of the platform: performing protocol updates and system management
 Maintains routing tables, bridging tables and primary forwarding table
 Connect to the packet forwarding engine (PFE) through an internal link
 Forwarding plane
o PFE
 runs on separate hardware and is responsible for forwarding transit traffic
through the device
 Application-specific integrated circuits for increased performance
 receives FT from the RE (internal link)
 forwards frames, packets or both

©SecureLink Confidential Page 1 of 54

Maintains RE intelligence
 RE
o Handles all protocol processes
o Handles other software processes
 Interfaces
 Chassis components
 System management
 User access to the device
o Controls and monitors chassis
 Provides the CLI & J-WEB GUI
 Provide user access and control of the device
o Manages PFE
 Provides accurate, up-to-date L2 & L3 FT
 Downloads and manages software processes that reside in the PFE
 Receives hardware and environmental status messages from the PFE

Forward traffic
 PFE
o Forwards traffic based on its local copy of the FT
 Synchronized copy of the information created on and provided by RE
 Forwards traffic more efficiently and eliminates the need to consult the RE
o Implements advanced services
 Rate limiting
 Stateless firewall filters
 Class of service

Transit traffic
 Consists of: all traffic that enters an ingress network port is compared to the FT and is forwarded
out an egress network port toward its destination
 Is never sent to or processed by the control plane
 Can be unicast traffic
o Enters one ingress port and is transmitted out exactly one egress port toward its
destination
 Can be multicast traffic
o Enters one ingress port and can be replicated and sent out multiple egress ports
depending on the number of multicast receivers and network environment

©SecureLink Confidential Page 2 of 54

Exception traffic
Part 1

 Does not pass through the local device but rather requires some form of special handling; for
example:
o Packets addressed to the chassis; for example:
 Routing protocol updates
 telnet sessions
 pings
 tracerts
o IP packets with the IP options field
o ICMP messages
 Report various error conditions and respond to ping requests
 Destination host unreachable
 TTL expired

Part 2

 Sends exception traffic over the internal link

 Rate limit: protect RE form denial-of-service attacks

Overview of Junos devices

 Routing Devices
o ACX series
 End-to-end provisioning
 Support L2 & L3
 Support passive cooling
o LN series

©SecureLink Confidential Page 3 of 54

  High performance network routing, firewall and intrusion detection
o M series
 Multiservice routers provide up to 320Gbps of aggregate half-duplex throughput
 Different roles
 Internet gateway router
 WAN connectivity rotuer
 Campus core router
 Regional backbone
 Datacenter routers
o MX series
 Provide up to 960Gbps of aggregate half-duplex throughput
 Dense dedicated access aggregation and provider edge services
o PTX series
 Provide up to 16Tbps of throughput in a single chassis
 Service provider supercore
 Adapt to rapidly changing traffic patterns for video, mobility and cloud-based
services
o T series
 Provide up to 25,6Tbps of throughput
 Switching
o EX series
 Provide up to 6,2Tbps of full duplex throughput
 Designed for access, aggregation and core deployments
o QFX series
 Provide high-performance, ultra-low latency
 Supports L2 and L3
 Wire-speed of 10GbE throughput
 Security
o J series
 Provide up to 2 Gbps of throughput
 Deployed at branch and remote locations
 Provide all-in-one secure WAN connectivity, IP telephony, …
o SRX series
 Provide upt to 120Gbps of full duplex throughput
 Designed to meet network and security requirements for consolidated data
centers, managed service deployments and aggregation of security services

©SecureLink Confidential Page 4 of 54

QUESTIONS
1. What are some advantages of the Junos OS?
 Multiple software processes
 Each process runs its own protected memory space --> can’t interfere
2. What are the primary functions of the control plane and the forwarding plane on Junos devices?
 Control plane
o Maintain routing intelligence
o Control and monitor chassis
o Manage PFE
 Forwarding plane
o Forward packets
o Implements advanced services
3. How are transit and exception traffic processed?
 Transit traffic
o Forwarded through PFE based on the FT
 Exception traffic
o Processed locally by either PFE of RE depending on the type of traffic
 RE: host-bound packets such as protocol and management traffic
 PFE: ICMP error messages responses
4. Name three platforms that run the Junos OS
 ACX
 LN
 J
 M
 MX
 PTX
 T
 EX
 QFX
 SRX

©SecureLink Confidential Page 5 of 54

Chapter 2: User interface options
CLI
 Text-based command shell
 Access the cli
o Out-of-band serial console connection
 The console port settings are predefined and not user configurable
o Using access protocols
 Telnet, SSH, …
 Require configuration for a network port and the access protocol
o (Out-of-band) dedicated management Ehternet port
 Software cannot forward transit traffic through this management port

J-Web interface
 Graphical user interface
 Access using HTTP(S)
 Quick configuration wizard

Logging in
 Requires a username and a password for access
o Default: root without any password
 Root has complete access and control of the device
o Shell (%) --> cli to start CLI

Need help?
 Cli provides context-sensitive help
 ?
o List of available commands and options including user-defined variables
 Help topic
o Displays usage guidelines for the statement
 Help reference
o Displays summary information for the referenced configuration statement
o Displays a complete list of related configuration options along with several other details
specific to the referenced command statement
 Help apropos
o Displays the contexts that reference a specific variable
o Only displays context that are relevant to the configuration hierarchy level

Control keys
 Ctrl + b --> moves the cursor left one character

©SecureLink Confidential Page 6 of 54

  Ctrl + a --> moves the cursor to the beginning of the command line
 Ctrl + f--> moves the cursor right one character
 Ctrl + e --> moves the cursor to the end of the command line
 Delete and backspace: deletes character before the cursor
 Ctrl + d --> deletes the character over the cursor
 Ctrl + k --> deletes from the cursor to the end of the line
 Ctrl + u --> deletes all characters and negates the current command
 Ctrl + w --> deletes entire word to the left of the cursor
 Ctrl + I --> redraws the current line
 Esc + d --> deletes word to the right
 Esc +b --> moves cursor back one word with no delete
 Esc + f --> moves cursor forward one word with no delete

Using pipeline
 Filter display output
o Compare --> Compares configuration changes with another configuration file
o Count --> Displays number of lines in the output
o Display changed --> Tags changes with junos:changed attribute only for XML use
o Display commit-scripts --> Shows data after Junos applies commit scripts
o Display detail --> Displays additional information about the contents of the configuration
o Display inheritance --> Displays inherited configuration data and source group
o Display omit --> Omits configuration statements with omit statement
o Display set --> Shows set commands created configuration statements
o Display xml --> Display the output in XML format
o Except --> Ignores text matching when searching the output
o Find --> Display the output starting at the first occurrence of text matching
o Hold --> Holds text without exiting the –more-- prompt
o Last --> Display the last screen of information
o Match --> Searches for text matching
o No-more --> Display output all at once
o Request message --> Displays output to multiple users
o Resolve --> Converts IP to DNS names
o Save --> Save output to file or url
o Trim --> Trims specified nr of columns from the start line

Operational mode
 Monitor and control the operation of a device running the Junos
 Exist in a hierarchical structure

Capabilities
 Entering configuration mode
 Controlling the CLI environment
 Exiting the CLI

©SecureLink Confidential Page 7 of 54

  Monitoring and troubleshooting
 Connecting to other network systems
 Copying files
 Restarting software processes
 Performing system-level operations

Configuration mode
 By default multiple users can enter configuration mode and commit changes
 Uncommitted changes are retained when exiting the configuration mode

Exclusive mode
 Allow one single user to edit the configuration
 Uncommitted changes are always discarded when exiting the exclusive mode

Private mode
 Allow multiple users to edit the configuration while committing their private changes
 Uncommitted changes are always discarded when exiting the private mode
 Other users must enter private or exclusive mode to become the master
 Chassis clustering: private mode is automated

Batch configuration changes

Active configuration
 The configuration is currently operational on the system
 The system loads the active configuration during the boot sequences

Candidate configuration
 This configuration is a temporary configuration that might become the active configuration
 You can modify the candidate configuration and commit the changes

The life of a configuration file

 Configure --> creates a candidate configuration

o Modify your changes
o Commit the changes

©SecureLink Confidential Page 8 of 54

  Checks candidate configuration for proper syntax
 Error message indicates location of the error --> correct the errors before
recommitting the configuration
 Installs it as active configuration
o Rollback
 Recover previous configuration
 Maximum 50 configurations (includes active configuration =0)
 You must issue a commit

Hierarchical configuration
 Container statements: curly brackets to visually display the hierarchical structure of the
configuration
 Leaf statements: semicolon to visually display the end of the hierarchical structure of the
configuration

Moving between levels

 Top
 Up <n>
 Edit
 Exit: returns to the most recent, higher level of the hierarchy

Configuring statements
 Set: adding statement
 Delete: deleting statement and all its subordinate statements and identifiers
o Wildcard delete
 Rename
 Replace pattern
 Copy
 Deactivate – activate
 Insert
 Annotate
 …

Remember to commit
 Commit to activate the candidate configuration
 Commit synchronize:
o On devices with redundant RE’s
o Activates and synchronizes the configuration on both RE’s
 Commit check
o Validate the syntax of a candidate configuration without actually placing it into effect
 Commit confirmed
o The system starts a timer during which time it expects to see another commit

©SecureLink Confidential Page 9 of 54

 o If the second commit doesn’t occur within the time-out value specified, the system
performs a rollback 1 commit on your behalf
 Commit at
o Occurs at a specific time
o Synchronizing commits with multiple routers
 Routers have their time synchronized to the same source to execute commit at
the same time
 Commit and-quit
o Activate your changes and exit configuration mode
 Commit comment
o Add a log entry to your commit

Viewing differences
 Show | compare: displays differences between candidate and active configuration
 Show configuration | compare rollback <n>: displays differences between active and rollback
configuration
 Show configuration | compare <filename>: displays differences between active and an arbitrary
file
 File compare files <filename 1> <filename 2>: displays differences between any two text files

Restoring a previous configuration

 Rollback <n>: overwrite candidate configuration with one of these previously committed versions
o Commit!

Saving & loading configuration files

 Save the candidate configuration (including uncommitted changes) from your current
configuration setting to an ASCII file
o Save <filename>: save to an ASCII file
o Save <path/filename>: save to an ASCII file
o Save ftp://<user:password@router/path/filename>: puts the file in the location
explicitly described by this URL using the FTP protocol
o Save scp://<user@router/path/filename>: puts the file on a remote system using SSH
protocol
 Load a complete or partial configuration from a local file, form a file one a remote machine or
from a terminal emulation program’s buffer capture
o Factory-default: replaces the full current configuration with the factory default
o Merge: combines the current configuration with the configuration you load
o Override: completely overwrites the current configuration
o Patch: adds or deletes variables from the configuration based on the contents of a
specified patch file
o Replace: looks for a replace tag in the configuration you load
o Set: allows user to load set commands from the terminal or from a saved file
o Update: updates existing configuration with the configuration you load

©SecureLink Confidential Page 10 of 54

o Terminal: uses the test you type at the terminal as input to the configuration
o Relative : negates the need of a full path to the related configuration hierarchy by telling
the device to add the data you load relative to the current configuration hierarchy

©SecureLink Confidential Page 11 of 54

QUESTIONS
1. Which modes exist within Junos OS?
 Operational mode
 Configurational mode
 Shell
2. Which operations can be performed in each mode?
 Operational mode
o Monitor and troubleshot the software, network connectivity and hardware
 Configurational mode
o Configure a device including interfaces, protocols, user access and system
hardware
3. Which keystrokes complete a system command and a user-defined variable?
 Spacebar: complete command
 Tab: complete commands and user-defined variables
4. Which command provides the quickest method of returning to the top of the hierarchy?
 top
5. What is the difference between active and candidate configuration?
 Active configuration: commited and in use
 Candidate configuration: not active until commit is performed
6. Which command displays the differences between the candidate and active configuration?
 Show | compare

©SecureLink Confidential Page 12 of 54

Chapter 3: Initial configuration
Factory-default configuration
 Allow access using root account
o Default: no password
 Setting a root password is required before activating any changes to the configuration file
 Include system logging which tracks system events and writes those events to predefined log files.

Loading a factory-default
 Return a device to its factory-default configuration --> overwrite candidate configuration
 Load factory-default
o Commit!!

Gracefully shutting down the device

 It is unlikely that failure to gracefully shut down the system could leave it unable to boot
o Yet you should always gracefully shot down platforms
 Request system halt
o At/in: Allows you to schedule the shut down in a specific number of minutes or at an
exact time
o Media: allows you to specify the media from which the next boot op operation will use
o Message: allows you to log a message to the console and to the messages file
o Both-routing-engines: halt redundant RE’s
o All-members: halt all participating members of the virtual chassis simultaneously

Initial configuration checklist

 Root-authentication
o Before committing, a root password must be set
 set system root-authentication plain-text-password
Password restrictions
 No less than 6 chararcters
 A change of case
 Digits or punctuation
o Junos encrypts the password
o You can always perform the password recovery process
 Hostname
o set system host-name router
 System time
o Current date and time information along with the proper time zone for the device
 set time-zone Europe/Brussels
 run set date <YYYYMMDDhhmm.ss>
o NTP

©SecureLink Confidential Page 13 of 54

  System services for remote access
o Enable SSH and Telnet access to a device running Junos
 set system services telnet
 set system services ssh
o Enable HTTP access a device through a web browser
o By default an individual CLI never times out after extended timers
 run set cli idle-timeout <time>
o login message to users
 set login message “<message>”

 Management interface and static route for management traffic

o Configure a management interface
 set interfaces <int name> unit 0 family inet address <ip
address>
o Configure a static route for management traffic (as specific as possible)
 set routing-options static route <ip network address> next-
hop <ip address>
o No-advertise
 Marks the static route ineligible for advertisement through routing policy
o When the system boots the routing protocol is not running thus the system has no static
or default routes
 To allow the device to boot and to ensure that it is reachable over the network if
the routing protocol fails to start properly you can configure a backup router
 Backup router is a router or gateway that is directly connected to the
local system
o To eliminate the risk of installing a default route in the FT, you
should always include the destination option (reachable through
the backup router)
 When the routing protocols start, the backup router is removed from the
local routing and FT

To the rescue
 A rescue configuration is a user defined, known good configuration
 Designed to restore connectivity in the event of configuration problems
o Rollback rescue & commit
 Contain the minimum elements necessary to restore network connectivity
 Must include a root password
 Default: no rescue is defined
o Request system configuration rescue save

Interface overview
 An interface is used to connect a device to a network
 Some are used to provie a service or a specific function
o Management: connect the device to a management network
o Internal: connect the control and forwarding plane

©SecureLink Confidential Page 14 of 54

 o Network: provide media-specific network connectivity
o Services: provide one or more user-configurable services such as encryption, tunneling
and link services
 es: encryption interface
 gr: generic route encapsulation tunnel interface
 ip: ip over ip encapsulation tunnel interface
 ls: link services interface
 ml: multilink interface
 mo: passive monitoring interface
 mt: multicast tunnel interface
 sp: adaptive services interface
 vt: virtual loopback tunnel interface
o Loopback: provide a constant and dependable hardware-independent interface

Interface naming
 Media type – line carde (FPC) slot number / interface card (PIC) slot number / port number
o ge-0/0/0
o Slot and port numbers begin with 0
 Other interface name designations
o Don’t adhere to the naming convention
 Loopback: lo0
 Aggregated Ehternet: ae
 Aggregated SONET: as
 VLAN: vlan
 Logical interfaces
 Each physical interface descriptor can contain one or more logical interface descriptors
 Allow you to map one or more logical interfaces to a single physical device
 Multiple address
o Junos can have more than one address on a single logical interface
o Set command adds an additional address under the logical unit

Physical properties
 Data link layer protocol and keepalives
 Link mode --> half or full-duplex
 Speed
 Maximum transmission unit --> from 256 to 9192 bytes
 Clocking --> clock source (internal/external)
 Scrambling --> payload scrambling
 Frame check sequence --> modify to 32 bit mode (default 16)
 Diagnostic characteristics --> local or remote loopbacks

Logical properties
 Protocol family --> inet, inet6, iso, mpls or ethernet-switching
 Addresses

©SecureLink Confidential Page 15 of 54

 o preferred
 when you have multiple IP addresses belonging to the same subnet on the same
interface
 to select which address will be used for the source address for packets sent by the
local system to host on the directly connected subnet
o primary
 the address that is used by default as the local address for broadcast and
multicast packets sourced locally and sent out the interface
 Virtual circuits --> virtual circuit identifier
 Other characteristics

©SecureLink Confidential Page 16 of 54

QUESTIONS
1. Which command do you use at the shell prompt to enter operational mode?
 cli
2. Which configuration parameter is required during an initial configuration?
 Root-authentication
3. Which final configuration mode command must you enter to enable your initial configuration?
 commit
4. Which parameters might be configured under the logical unit hierarchy level for an interface?
 Protocol family, addresses and virtual circuit identifiers

©SecureLink Confidential Page 17 of 54

Chapter 4: Secundary system configuration
Authentication

 Local password authentication: configure usernames and passwords individually for each user to
log into a device
o The system automatically generates a home directory for that user
 Default working directory for each locally configured user
 Can be changed for individual sessions
 Run set cli directory <directory>

 RADIUS and TACAS+ are distributed client and server systems used as authentication methods to
validate users
o Client runs on devices running Junos
o Server runs on a host connected to a remote network
o Configuration of RADIUS
 set groups global radius-server <server address>
 set groups global system radius-server <server address>
secret password
o Configuration of TACAS+
 set system tacplus-server <server address>
 set system groups global system tacplus-server <server-
address> secret password

Authentication order
 You can prioritize the order in which the software tries one or more of the three authentication
methods
o Set groups global system authentication-order <method1 method2
method3>

 For each login attempt, Junos tries the authentication method in order until the password is
accepted
o The next method is consulted if the previous authentication method failed to reply or if
the method rejected the login attempt
o If no reply is received from any of the listed methods, Junos consults local authentication
as a last resort

©SecureLink Confidential Page 18 of 54

Authorization

 A configured hierarchy of authorization components defines whether a command is authorized

o User
 Multiple remotely authenticated users can be mapped to a locally defined
template users
 Users are members of a single login class
o Class
 A named container that groups together aa set of one or more permission flags
 Can specify that the permission flags should be overridden for certain commands
 Predefined login classes
 Super-user: all permission
 Operator: clear, network, reset, trace and view permissions
 Read-only: view permissions
 Unauthorized: no permission
o Permissions
 Access --> viewing of network access configuration
 Access-control --> modifying of network access configuration
 Admin(-control --> viewing/modifying of user accounts
 Firewall(-control) --> viewing/modifying firewall configuration
 Rollback --> ability to roll back for depth greater than zero
 Shell --> starting of a local shell
 …
o Deny / allow
 Define regular expressions that match operational/configurational commands
 Explicitly allowed or denied

System logging
 Use a UNIX syslog-style mechanism to record system-wide, high-level operations such as
interfaces going up or down or users logging in to or out the device
 The primary syslog file is the /var/log/messages
 Syslog configuration options
o Host <name>: sends messages to a remote host
o Host <ip>: sends messages to a remote host
o Archive: configures how to archive system logging files (default 100–maximum size 128K)
o Console: configures the types of syslog messages to log to the system console
o Facility: displays the class of log messages
o Severity: displays the severity level of log messages
o File <filename>: configures the name of the log file

©SecureLink Confidential Page 19 of 54

 o Files <number>: displays the maximum number of system log files

Interpreting system log entries

 Log entry consists of
o Timestamp: displays when the message was logged
o Name: displays the configured system name
o Process name / PID: displays the name of the process
o Message-code: identifies the general nature and purpose of the message
o Message-text: additional information

Tracing
 Used to store decoded protocol information received or sent by the RE
 Used for testing
o One you have completed your testing turn off tracing to avoid unnecessary resource
consumption
 Configuration for tracing files
o File <filename>: name of the file which to store information
o Size <size>: maximum size of each trace file
o Files <number>: maximum number of trace files
o No-stamp: prevents timestamp information from being placed at the beginning of each
line in the trace file.
o Replace: replaces an existing trace file if one exists
o Readable: allows any user to view the file
o No-world-readable: allows only the user who configured the file to view it.

Monitor log and trace files

 Monitor start: View real-time log information
 Monitor several log files at one time
 The user must have the required access permissions to view the referenced log file

What time is it?

 NTP: synchronize network devices to a common, and preferably accurate, time source
o Timestamps on log messages are accurate and meaningful
 Two machines can synchronize only when their current clocks are relatively close
o Difference of 128 milliseconds: synchronization is slowly
o Difference of 1000 seconds: no synchronization
 A boot server is used to set a system clock at boot time to ensure that it is close enough to later
synchronize to the configured time server
 set date ntp <address>

Monitoring NTP
 Run show ntp associations: display synchronization status
 Run show ntp status: further synchronization details

©SecureLink Confidential Page 20 of 54

Automated configuration backup
 Specify the location
o set system archival archive sites “ftp://<user@address:/archive”
 Transfer-interval: occur at regular intervals
 Transfer-on-commit: occur every time a new configuration becomes active
 Once the configuration file is transferred to the remote storage device, a system log message is
generated (success or failure)

SNMP operation

 Devices running Junos act as SNMP agents

o An SNMP agent exchanges network management information with SNMP manager
software running on a network management system or host
o The agent responds to requests for information and actions from the manager. An agent
communicates with the SNMP manager using:
 Get / getbulk / getnext requests: SNMP manager requests information form an
SNMP agent. The agent responds with a Get respons message
 Set requests: the SNMP manager changes the value of a management
information base object controlled by the agent. The agent return the status in a
set response message
 MIB is a collection of object maintained by the SNP agent in a hierarchical
fashion. The SNMP manager views or changes objects within the MIB
structure. NMS devices poll object identifiers to retrieve management
information. An object identifier is considered a leaf in the tree-like
hierarchy of a MIB.
 Notifications: the SNMP agent sends traps to notify the manager of significant
event regarding the network device.

SNMP support
 Version 1: initial implementation of SNMP that defines the architecture and framework for SNMP
 Version 2: added support for community strings, which act as password determining access to
SNMP agent MIBs
 Version 3: provides enhanced security features including the definition of a user-based security
model and a view-based access control model.
o Provides message integrity, authentication and encryption

©SecureLink Confidential Page 21 of 54

SNMP configuration
 The contact information must be as specific as possible
o Useful when trying to resolve issues with a network device

 set snmp description

 set snmp location
 set snmp community <name>
o //authorization read-only
o //clients <ip>
 set snmp trap-group my-trap-group
o version 2
o categories chassis
o categories link
o targets <ip>

Monitor SNMP operation

 Show snmp
 When a trap condition occurs, some traps are logged if the system logging is configured with the
appropriate facility and severity levels, regardless whether a trap group is configured.

©SecureLink Confidential Page 22 of 54

QUESTIONS
1. Which user authentication methods are available?
 Local, radius, tacas+
2. Which command displays the primary syslog file?
 Show log messages
i. /var/log/messages
3. Why should you use configuration archival?
 Allows for disaster recovery in situation where a system storage device becomes unusable
4. What is the purpose of SNMP traps?
 Is an agent-initiated notification of network events relative to the sending agent.

©SecureLink Confidential Page 23 of 54

Chapter 5: Operational monitoring and
maintenance
Monitoring tools
 CLI: show & monitor
 J-Web
 SNMP
 LED (hardware)
 LCD (front-panel displays)

Monitoring system
 Show system
o Alarms: displays current system alarms
o Boot-messages: displays the messages seen during the last system boot
o Connections: displays the status of local TCP and UCP connections
o Statistics: provides options for viewing various protocol statistics
o Storage: displays status of the file system storage space
o …

Monitoring chassis
 Show chassis
o Alarms: displays current chassis alarms
o Environment: displays component and environmental status as well as the operational
speeds of the cooling system
o Hardware: displays an inventory of the installed hardware components along with the
serial number of each component
o Routing-engine: provides operational status and utilization details for the RE

Interface status verification

 Show interfaces: verify various details and status information for interfaces
o Interface-name: filters the generated output and displays details only for the specified
interface
o Terse: displays all installed interfaces and their accompanying details
 Verify the state information for physical and logical interfaces
 Interface, admin, link, protocol, local and remote
o Extensive: view detailed information for a (named) interface
 It shows errors, statistics and physical and logical interface properties
 Monitor interface: provides real-time packet and byte counters as well as displaying error and
alarm conditions
o Traffic: view real-time usage statistics for all interfaces

©SecureLink Confidential Page 24 of 54

Ping and traceroute
 Determine general network reachability and the path that packets take to reach a destination
 By default, the ping utility sends a continuous flow of ICMP echo requests to the referenced
destination
o Count: specify number of ICMP echo requests to send out

Monitoring traffic
 Monitor traffic: provides access to the tcpdump utility
o Traffic that originates or terminates on the local RE
o Layer2-headers: Monitor and diagnose problems at layer 2
o Matching: match packet fields
o Write-file: save packet captures for analysis from a third-party packet decoder such as
Ehternet or Wireshark
 Option is hidden
 Use with caution

Determining the Junos Release

 Show version: determine the current Junos OS Release
o Detail: additional details about the software packages and the processes included in the
Junos OS Release

Naming convention
 The Junos naming convention format is package-release-edition
o Package: description of the software contents
 Jinstall
 Jinstall-ex
 Junos-jsr
 Junos-srx
o Release: describes the Junos release and includes several subcomponents
 Major and minor release numbers as well as a capital letter that indicates the
type of software release
o Edition: typically domestic or export
 Domestic: support strong encryption
 Export: does not support strong encryption
 Packages contain digital signatures, SHA-1 and MD5 checksums
o Package is installed only if the checksum within it matches the hash recorded in its
corresponding file

Downloading the Junos OS

 Using a web browser or through FTP client
o Valid service contract and access account

©SecureLink Confidential Page 25 of 54

Upgrading the Junos OS
 Request system software add <path/image>: upgrade the Junos OS
o Specify local path
o Specify remote FTP
o Specify remote SCP
 Reboot the system

Unified in-service software upgrade (ISSU)

 Enables you to upgrade between two different Junos OS releases with no disruption on the
control plane and with minimal disruption of traffic
 Only on dual RE platforms
 The master RE and backup RE must be running the same software release!
 You can’t take any PICS online or offline during a unified ISSU
 Request system software in-service-upgrade

Password recovery requires console connection

 Only by using the console connection
 You can disable the password recovery --> console port to insecure
 Recovery steps:
o Obtain console access and reboot the system
 Spacebare when prompted during the boot loader process
o The system performs a single-user boot-up process and prompts you to run the recovery
script, enter a shell pathname, or press Enter for a default shell
 Recovery
o Enter configuration mode
 Reset the root password
 Commit!

©SecureLink Confidential Page 26 of 54

QUESTIONS
1. List two methods for monitoring devices running the Junos OS?
 Show
 Monitor
2. Which command do you use to view interface usage details in real time?
 Monitor interface
 Monitor interface traffic
3. Which command do you use to perform packet captures?
 Monitor traffic interface
4. Describe the upgrade procedure?
 Download Junos image
 Copy install package on the device
 Upgrade: request system software add
 Monitor upgrade process through a console connection
 Show version

©SecureLink Confidential Page 27 of 54

Chapter 6: Interface configuration examples
Configuration examples
Ehternet interface with vlan

Interfaces { A tagged Ethernet interface with multiple logical

fe-0/0/0 { interfaces
vlan tagging;
Each logical unit is assigned its respective VLAN ID
unit 100 {
vlan-id 100;
family inet {}
}

unit 200 {
vlan-id 200;
family inet {}
}
}
}

Serial interface with frame relay

Interface { Serial interface with frame-relay encapsulation
se-1/0/1 {
encapsulation frame-relay; Each logical interface assigned to the serial
interface has a corresponding data-link
Unit 102 { connection identifier
dcli 102;
family inet {}
}

Unit 202 {
dcli 202;
family inet {}
}
}
}

Multilink Point-to-Point Protocol

Host1 Two serial interfaces function as member links for

©SecureLink Confidential Page 28 of 54

 Interface { the configured bundle
ls-0/0/0.0 {family inet {..}}
serial-1/0/0 { Clocking mode: dce or internal
serial-options { Internal provides interface timing
clocking-mode dce;
}
unit 0 {
family mlppp {
bundle ls-0/0/0.0
}}}
serial-1/0/1 {
serial-options {
clocking-mode dce;
}
unit 0 {
family mlppp {
bundle ls-0/0/0.0
}}} }

Host2

Interface {
ls-0/0/0.0 {family inet {..}}
serial-1/0/0 {
serial-options {
clocking-mode internal;
}
unit 0 {
family mlppp {
bundle ls-0/0/0.0
}}}
serial-1/0/1 {
serial-options {
clocking-mode internal;
}
unit 0 {
family mlppp {
bundle ls-0/0/0.0
}}} }

Link aggregation group

Chassis { By default, no aggregated interfaces exist

Aggregated-devices {
To create an aggregated interface (ae), simply add

©SecureLink Confidential Page 29 of 54

Ethernet { an aggregated device
Device-count 1;
}}} Define the parameters associated with the ae0
interface
Interface { The ae0 interface configuration includes at least
Ae0 { on logical unit along with the desired logical
Aggregated-ether-options { interface properties
lacp {
passive;
}}}
Unit 0 {
Family Ethernet-switching {
Port-mode trunk;
Vlan {
Members [ … ]
}}}

Ge-0/0/0{
Gigether-options {
802.3ad ae0;
}}

Configuration groups
 Allow you to create a group containing configuration statements and to direct the inheritance of
that group’s statements in the rest of the configuration
 Apply the same group to different sections of the configuration
 Allow you to create smaller, more logically constructed configuration files
 Use of wildcards is possible
 Show interfaces … | display inheritance

©SecureLink Confidential Page 30 of 54

Chapter 7: J-Web interface
J-Web interface
 !! set system web-management http
 Dashboard: quick glance at system status, ports, alarms and utilization information
 Configure: configure the system
 Monitor: view detailed real-time statistics and the results of configuration-related activity
 Troubleshoot: provides common network tools such as ping and traceroute
o Troubleshoot individual ports, ping a remote host, perform a traceroute, capture packet
dumps,..
 Maintain: perform software upgrades and file system maintenance
o Download and delete log files, memory dump files and other temporary files to keep your
flash memory device from becoming too full
o Upgrading the Junos OS
o Details on installed licences on the system allowing you to add licenses

Creating a new user

 Add new users to the device’s local database
 Define a login name and password for the user and specify a login class for access privileges

Interface configuration
 You must have at least one logical interface configured on our physical Ethernet interface

Network monitoring
 Quickly capture and analyze router control traffic on a device
o Destined for or originating from the RE

©SecureLink Confidential Page 31 of 54

Chapter 8: Routing fundamentals
A basic definition of routing
 Routing: process of moving data between L3 networks
 Routers are most common, but many switches and security devices can also perform routing
operations

Routing components
 Two primary requirements
o An end-to-end communications path
o Ensuring all L3 devices within the communications path have the required information
 Gateway: a router that connects to the internal networks as well as the Internet
 Define a proper next-hop for each destination prefix for transit traffic it receives
 FT to make this determination

Test your knowledge

 A proper gateway
o Gateway user A: 10.1.1.1
o Gateway user B: 10.1.1.1
o Gateway devices within the data center: 10.2.2.1
 The router which functions as the gateway requires sufficient routing information to determine
the proper next hop for the traffic sent between the connected networks.

Routing information sources

©SecureLink Confidential Page 32 of 54

  Routing table: consolidates prefixes from multiple routing information sources including various
routing protocols, static routes, and directly connected routes
 Active route selection
o Multiple routes for a given prefix --> selects a single route as the active route
o Junos supports multiple, equal-cost routes
 FT
o The router uses the active route for each destination prefix to populate the FT
o FT determines the outgoing interface and L2 rewrite information for each packet
forwarded by a device running Junos

Multiple routing tables

 Primary routing table: inet.0
o IPv4 unicast routes
 Additional
o inet.1: multicast forwarding cache
o net.2: Multicast Border Gateway Protocol (MBGP) routes to provide reverse path
forwarding (RPF) checks
o inet.3: MPLS path information
o inet.4: Multicast Source Discovery Protocol (MSDP) route entries
o inet.6: IPv6 unicast routes
o mpls.0: MPLS next hops

Preferred routing information sources

 To differentiate routes received from different routing protocols or routing information sources
 = administrative distance on equipment from other vendors

Selecting the active route

 Route preference to rank routes received through the various route information sources and as
the primary criterion for selecting the active route
 Values can range from 0 to 4 billion
 Default preference values
o Direct 0 More preferred
o Local 0
o System routes 4 4
o Static and Static LSPs 5
o RSVP-signaled LSPs 7
o LDP-signaled LSPs 9
o OSFP internal 10
o IS-IS level 1 internal 15
o IS-IS level 2 internal 18
o Redirects 30
o Kernel 40
o SNMP 50

©SecureLink Confidential Page 33 of 54

 o Router discovery 55
o RIP 100
o RIPng 100
o DVMRP 110
o Aggregate 130
o OSPF AS external 150
o IS-IS level 1 external 160
o IS-IS level 2 external 165
o BGP (internal & external) 170
o MSDP 175 Less preferred
 You can modify the default preference value for most routing information sources
o Exception: direct and local routes
 Always preferred regardless of the modified route preference value associated
with other routing information sources
 Equal cost for the same destination, the routing protocol daemon (rpd) randomly selects one of
the available paths
o Load distribution among the paths while maintaining packet ordering per destination
o If desired: enable per-flow load balancing over multiple equal-cost paths through routing
policy

Viewing the rout table

 Show route: displays all route entries in the routing table
o A summary of active, holddown and hidden routes
 Active routes: he routes the system uses to forward traffic
 Holddown routes: routes that are in a pending state before the system declares
them as inactive
 Hidden routes: routes that the system can’t use for reasons such as an invalid
next hop and route policy
o All active routes are marked with an *
o Each route entry displays the source from which the device learned the route, along with
the route preference for that source
 You can filter the generated output by destination prefix, protocol type and other distinguishing
attributes

Forwarding table
 Stores a subset of information from the routing table
 Show route forwarding-table: details used by the device running the Junos to forward packets
such as the learned destination prefixes and the outgoing interfaces associated with each
destination prefix
o Destination default: matches all packets when no other matching entry exists
 The router discards the packet and it sends an ICMP destination unreachable
message back to the sender
o Common route types

©SecureLink Confidential Page 34 of 54

 Dest: remote addresses directly reachable by an interface
Intf: installed as a result of configuring the interface
Perm: routes installed by the kernel when the routing table initializes
User: routes installed by the routing protocol process or as a result of the
configuration
o Common next hop types
 Bcst: broadcast
 Dscd: discard silently
 Hold: next hop is waiting to be resolved into a unicast or multicast type
 Locl: local interface on an interface
 Mdsc: multicast discard
 Recv: receive
 Rjct: discard and send an ICMP unreachable message
 Ucst: unicast
 Ulst: a list of unicast next hops used when you configure load balancing

Determining the next hop

 When a packet enters the device, it compares that packet against the entries within the
forwarding table to determine the proper next hop
o Destined to the local device: Junos processes the packet locally
o Destined to a remote device an a valid entry exist: forwards the packet out the next-hop
interface associated with the forwarding table entry
 Multiple destination prefixes match? --> most specific entry
 Longest match
o Destined to a remote device an no valid entry exist: responds to the source device with a
destination unreachable notification

Test your knowledge

 Destined to 172.19.52.101
o Destination prefix: 172.19.52.0/24

©SecureLink Confidential Page 35 of 54

 o Next hop: ge-0/0/1.0
 Destined to 172.19.52.51
o Destination prefix: 172.19.52.16/28
o Next hop: ge-0/0/2.0
 Destined to 172.25.100.27
o Destination prefix: user-defined default forwarding entry
o Next hop: ge-0/0/0

Overview of Routing instances

 Junos logically groups routing tables, interfaces and routing protocol parameters to form unique
routing instances
 The device logically keeps the routing information in one routing instance apart from all other
routing instances

Master routing instance

 Junos creates a default unicast routing instance called the master routing instance
 By default: the master includes the inet.0 routing table
o The software creates other routing tables and add them to the respective routing
instance
 Junos also creates private routing instances, which the device uses for internal communications
between hardware components
 Show route instance

User-defined routing instances

 Set routing-instances <instance name> instance-type: Configure additional routing instances
o Forwarding: to implement filter-based forwarding for common Access Layer applications
o L2vpn: L2 vpn implementations
o No-forwarding: to separate large networks into smaller administrative entities
o Virtual-router: non-vpn-related applications such as system virtualization
o Vpls: for point-to-multipoint LAN implementations between a set of sites in a vpn
o Vrf: L3 vpn implementations
 Junos automatically generates routing table
o For example: new-instance.inet.6 --> IPv6 unicast routing table
o Show route table new-instance.inet.0

©SecureLink Confidential Page 36 of 54

Static routes
 Used in a networking environment for multiple purposes, including a default route for the
autonomous system and as routes to customer networks
 Manually configure the routing information provided by static routes on each router or multilayer
switch in the network
 Set routing-options static route
o No-readvertise: restricts route from being advertised into a routing protocol through
routing policy
 Highly suggested for static routes used for management traffic

Next hop required

 Static routes must have a valid next-hop defined
o IP address of neighboring router headed toward the ultimate destination
o Egress interface : point-to-point interfaces
o Bit bucket: dropping the packet off the network
 Reject: ICMP message to the source of the IP packet
 Discard: no ICMPmessage to the source of the IP packet
 Drops the packet silently
 Static routes remain in the routing table until you remove them or until they become inactive

Resolving indirect next hops

 By default, Junos requires that the next-hop IP address of static routes be reachable using a direct
route
o Resolve: a route to the indirect next hop is also required
 Indirect next hops can be resolved through another static route of through a
dynamic routing protocol

Qualified next hops

 Allows independent preferences for static routes to the same destination
o All traffic use the route with the lowest preference until it becomes unavailable

Dynamic routing
 Configure the network interface to participate in a routing protocol
o Dynamically learn routing information from each other
o When a device adds or removes routing information for a participating device, all other
devices automatically update
 Benefits
o Lower administrative overhead: the device learns routing information automatically,
which eliminates the need for manual route definition
o Increased network availability: during failure situations, dynamic routing can reroute
traffic around the failure automatically
o Greater network scalability: the device easily manages network growth by dynamically
learning routes and calculating the best paths through a network

©SecureLink Confidential Page 37 of 54

OSPF protocol
 An interior gateway protocol
 Link-state routing protocol designed for use within an autonomous system
o Allow faster reconvergence, support larger internetworks, and are less susceptible to bad
routing information than distance-vector protocols
 Devices running OSPF send out information about their network links and the state of those links
to other routers in the autonomous system
o Transmits reliably to all other routers in the autonomous system by means of link-state
advertisements
o The other routers receive this information and stores it locally
 In addition to flooding link-state advertisements and discovering neighbors, the link state routing
protocol is establishing the link-state database
o Stores the LSA as a series of records
o The important information for the shortest path determination process is
 The advertising router’s ID
 Its attached networks
 Neighboring routers
 Cost associated with those networks or neighbors
 OSPF uses areas to allow for a hierarchical organization and facilitate scalability
o An area is a logical group of routers
 Summarize routing information and pass it to the rest of the network
 Areas can reduce the size of the link-state database on an individual router
 Each OSPF router maintains a separate link-state database for each area to which
it is connected
 The link-state database for a given area is identical for all participating routers
within that area
o OSPF maintains a special area called the backbone area
 Area 0.0.0.
 Al other areas must connect themselves to the backbone for connectivity
 All data traffic between areas must transit the backbone
 Configuration
o Set protocols ospf area 0 interface <interface-name>
 Specify the logical interface, if a unit is not references, Junos assumes unit 0
 Passive: use the passive option to prohibit adjacency formation
 Verifying OSPF neighbor state:
o Show ospf neighbor: determine OSPF adjacencies
 Address: the address of the neighbor
 Interface: through which the neighbor is reachalbe
 State: attempt/down/exchange/full/init/loading or 2 way
 Full: neighbors are exchanging routing information
 ID: id of the neighbor
 Pri: priority of the neighbor to become the designated router
 Used on broadcast networks during designated router elections

©SecureLink Confidential Page 38 of 54

  Default: 128 (highest priority)
 Dead: numbers of seconds until the neighbor becomes unreachable
 Viewing OSPF routes
o Show route protocol ospf
 Display OSPF routes learned by the router

©SecureLink Confidential Page 39 of 54

QUESTIONS
1. What are two key requirements for routing traffic between two remote devices?
 End-to-end communication path
 Necessary routing information on all participating L3 devices in the communication path
2. List the default IPv4 and IPv6 unicast routing tables
 IPv4: inet.0
 IPv6: inet.6
3. Which primary criterion determines the active routes within the routing table?
 Route preference
4. Which configuration option allows unique preference values for static routes to the same
destination?
 Qualified-next-hop
5. List some advantages in using a dynamic routing protocol instead of static routing.
 Lower administrative overhead
 Greater network scalability
 Increased network availability

©SecureLink Confidential Page 40 of 54

Chapter 9: Routing policy
Overview of a routing policy

 Routing policy allows you to control the flow of routing information to and from the routing table
o Apply as information enters the routing table and as information leaves the routing table
o Use to choose which routes you accept or reject from neighbors running dynamic routing
protocols
o Also allows you to modify attributes on routes as they enter or leave the routing table
 Routing policy allow you to control the flow of routing information into the forwarding table
o To control which routes you install in the forwarding table
o To control some of the attributes associated with those routes
 Import policy: control how the software imports routes into the routing table
o Import policies before placing routes in the routing table
o Can change the routes that are available in the routing table
o Can affect the local route selection process
 Export policy: control how the software sends routes from the routing table
o Export policies as it exports routes from the routing table to dynamic routing protocols or
to the forwarding table
o Only active routes are available for export from the routing table
o Can choose which active routes to export
o Can modify attributes of those routes
o Cannot cause the exportation of inactive routes!

Default routing policies

©SecureLink Confidential Page 41 of 54

  Every protocol has a default import policy and a default export policy
 BGP
o Import policy: accept all routes from BGP neighbors and install them in the routing table
o Export policy: advertise all active BGP routes
o Configure policies at the protocol, group and neighbors levels
 OSPF
o Import policy: import all OSPF routes
 OSPF maintains a consistent link-state database throughout each OSPF area by
flooding link-state advertisements
 You cannot apply policy to affect the maintenance of the local link-state
database or the flooding of link-state advertisements
 You cannot apply policy that prevents the software from installing
internal routes in the routing table
 You can apply a policy that blocks external routes
o Export policy: reject everything
 Doesn’t cause the system to stop flooding LSAs through the area
 The routing policy cannot control that behavior
 Blocks advertising of additional routes from other sources to OSPF neighbors
 Advertise? --> configure an explicit export policy
o Configure policies only at the protocol level
 Link-state protocols rely on all participating devices having consistent link state
databases
 RIP
o Import policy: all routes learned from explicitly configured neighbors
 Ignores routes learned from neighbors not explicitly defined within the
configuration
o Export policies: by default no export routes to ROP neighbors
 Configure an export policy that matches and accepts Rip routes to advertise any
routes to RIP neighbors
o Configure import policies at protocol and neighbor level
o Configure export policies only at group level

Building blocks of routing policy

 Routing policies contain ordered groups of terms
o Terms are the basic building blocks of all Junos policy
 From … then statements: if all the conditions match, all actions are
executes
o Provided that one of those actions is a terminating action, the
evaluation of the policy stops
 Reject and accept --> first match policy evaluation
 From: Junos performs the evaluation as a logical OR between arguments
to a single match criterion and a logical AND between different match
criteria

©SecureLink Confidential Page 42 of 54

Common selection criteria

 Select routes based on their prefix, protocol, some routing attributes or next-hop information
 Prefix list
o List of prefixes configured under policy-options
o You can use them in multiple places
o Reference prefix list in multiple terms in a single policy or in different policies
o Use prefix lists both for routing policies as well as firewall filters
o You can use prefix lists in two ways in the from statements of routing policies
 Prefix-list: routes match only if they exactly match one of the prefixes in the list
 Prefix-list-filter: specify a match type of exact, longer or orlonger
 Route-filter
o Lists of prefixes configured within a single routing policy or policy term
o Are nor reusable
o Specific to the policy or term in which they are configured
o Provide more match types for selecting prefixes
 Match types
o Exact: only routes that match the given prefix exactly match the filter statement
o Longer: routes within the specified prefix with a prefix length greater than the given
prefix length match the filter statement
o Orlonger: routes within the specified prefix with a prefix length greater than or equal to
the given prefix length match the filter statement
o Upto: routes within the specified prefix with a prefix length greater than or equal to the
given prefix length, but less than or equal to the upto prefix length, match the filter
statement
o Prefix-length-range: routes within the specified prefix with a prefix length greater than or
equal to the first given prefix length, but less than or equal to the second given prefix
length, match the filter statement

©SecureLink Confidential Page 43 of 54

Common actions
 Terminating actions: they cause the evaluation of the policy to stop and the route to be
o Accepted
o Rejected
 Nonterminating actions: they don’t cause the evaluation to stop, but they do overrule the default
policy’s accept or reject determination
o Default-action accept
o Default-action reject
 Some affect the flow of policy evaluation: they cause to evaluate the
o Next term
o Next policy
 Some modify protocol attributes
o BGP communities (add, delete and set)
o Route preference
o …

Defining and applying routing policy

 Define the routing policy
o Set policy-options policy-statement <policy name> term <term name> from … then
 Apply the routing policy
o Depending on the routing protocol, you can apply import and export policies at multiple
levels of the hierarchy
o Junos always apply the most specific import (and only the most specific) or export policy
 Import or export policies applied at higher levels of the configuration hierarchy
apply to lower levels of the configuration if no other policy configurations exists
at that level

Policy chaining

 Cascade policies to form a chain of policy processing

o Solve a complex set of route manipulation tasks in a modular manner
 Junos evaluates policies from left to right based on the order in which they are applied to a
routing protocol
o Checks the match criteria of each policy and performs the associated action when a
match occurs

©SecureLink Confidential Page 44 of 54

  If the first policy does not match or if the match is associated with a
nontermination action
 Junos evaluates the route against the next policy in the chain
 Junos ultimately applies the default policy for a given protocol wen no
terminating action occur while evaluating the user-defined policy-chain
o Policy processing stops once a route meets a terminating action
 Junos list terms sequentially from top to bottom and evaluates them in that manner
o Software checks each term for its match criteria
 When a match occurs, the software performs the associated action
 Terminating action: the processing of the terms and the applied policies
stops
 Nonterminating action: processing continues
 If no match exists in the first term, the software check the second term
 It no match exists in the last term, Junos checks the next applied policy and then,
eventually, the default policy for the protocol

©SecureLink Confidential Page 45 of 54

QUESTIONS
1. What is routing policy and when might you use it?
 Routing policy is used to control routing information within the routing table by choosing
accept, reject or modify attributes for routes received and sent through dynamic
protocols as well as for routes installed in the forwarding table.
2. List some common components of routing policy.
 Routing policy use terms that consist of from … then statements
 From: describe the match conditions that must be met before taking the defined action
 Then: describes the action the system should take if a packet or route meets the defined
match condition
3. What are the two main steps involved when implementing a routing policy?
 Definition: define the policy or filter under the respective hierarchy level
 Application: apply the defined policy or filter

©SecureLink Confidential Page 46 of 54

Chapter 10: Firewall filters
Firewall filters
 Often referred to as access control lists (ACLs) by other vendors
 Primarily use them to control traffic passing through the device
o Use filters to restrict certain types of traffic from passing into and out of your network
o Use them to perform monitoring tasks that help you formulate an effective security
strategy for your environment
 Are stateless in nature
o Examine each packet individually
o Does not keep state information on connections
 Explicitly allow traffic in both directions for each connection that you want to
permit
 Statefull: tracks connections and allow you to specify an action to take on all packets within a flow
o Only require you to permit the initial connection and then automatically permit
bidirectional communications for this connection

Building blocks of firewall filters

 The fundamental building block is the term
o Contains zero or more match conditions and one or more actions
o If all match conditions are true
 Junos takes the specified action within the term
o If no match conditions are specified
 All traffic matches the firewall filter term and is subjected to the stated ction
 Use a filter to group together multiple terms that discards all packets that the configuration does
not explicitly permit through the defined terms

Common match criteria

 Specify the criteria to use for matching packets in from within firewall filters term
o You can use many header fields as match criteria but all header fields might not be
available to you because of the way firewall filters are processed
 Specify header field
o Junos looks for a match at the location in the header where that field should exist
o It does not check to ensure that the header field makes sense in the given context
 You must account for how the software looks for a match when writing your
filters
 The stateless nature of firewall filters can affect the information available in the processing of
fragmented packets
o The first fragment should have all L4 headers but subsequent fragments will not
 Attempting to check L4 headers in fragments produces unpredictable results

©SecureLink Confidential Page 47 of 54

Categories of match conditions
 Three categories
o Numeric range
o Address
o Bit-field

Common actions
 !!! by default, traffic is discarded !!!
 Specify action in then
 Firewall filter action include
o Terminating action: cause the evaluation of the firewall filter to stop
 Accept: causes the system to accept the packet and continue the input or output
processing of the packet
 Discard: causes the system to silently discard the packet, without sending an
ICMP message to the source address
 Reject: causes the system to discard the packet and send an ICMP message to the
source
 Destination unreachable
 Tcp-reset: the system respond the TCP packets with a TCP reset, but it
sends no message in response to non-TCP packets
o Flow control
 Next term: causes Junos to evaluate the next term
o Action modifiers
 Count.log and syslog: record information about packets
 Forwarding-class and loss-priority: specify class of service information
 Policer: invoke a traffic policer

Defining a firewall filter

 Define the firewall filters
o Set firewall famli inet filter <filter name> term <term name> from … then

Filtering traffic on interfaces

 Primary purpose is to filter traffic entering or exiting interfaces

o You can apply them to all interfaces
o You can apply them to the lo0 interface to filter traffic destined for the system
 You can apply IPv4 firewall filters to interfaces
o Set interfaces <int name> unit <number> family inet filter ..
 Input <filter name>
 Output <filter name>
o You can specify both input and output filters on the same interface

©SecureLink Confidential Page 48 of 54

 o You can’t apply a IPv6 firewall filter to an IPv4 interface
 You can apply multiple filter to filter traffic
o Set interfaces <int name> unit <number> family inet filter …
 Input-list
 Output-list

Test your knowledge

 Inbound HTTP traffic

 Permits inbound HTTP traffic to address 172.27.102.100/32

Filtering local traffic

 Transit firewall filters

©SecureLink Confidential Page 49 of 54

 o Act on packets flowing from one interface to another interface within a device running
Junos
o Can protect sites form unauthorized access and other threats
o To allow management traffic you must allow routing protocol and other control traffic to
reach the RE
 Implicit silent discard, which discards all packet not explicitly allowed through a
defined term, has been known to cause undesirable effects

Policing

 In addition to dropping or accepting packets, firewall filters can also police or rate-limit traffic
o Enables you to limit the amount of traffic that passes into or out of an interface
o Still employ match conditions such as addressed, protocols, ports, … to determine which
traffic on an interface is subject to rate-limiting
o Term has no from and contains a policer --> all packets on the interface are subject to
rate policing
 Interface-based policers
o Apply directly to a given protocol family on a given logical unit of a particular interface
o Accommodate L2 VPN traffic, MPLS and IPv6 families
o Operate without the need for a calling firewall filter
 Token-bucket algorithm
o Enforces a limit on average bandwidth while allowing bursts up to a specified maximum
value
o Two rate limits
 Bandwidth: number of bps permitted on average
 Bandwidth-limit
 Maximum burst size: total number of bytes the system allows in bursts of data
that exceed the given bandwidth limit
 Speed of the interface * amount of time burst
 Burst-size-limit
 A packet matches a term that has a policer in then
o The packet does not exceed the policer
 System performs the actions in the firewall filter’s then as if you left the policer
out of the configuration
o Packet does exceed the policer
 System takes the actions in the policer’s then

©SecureLink Confidential Page 50 of 54

  Does not result in the software discarding the packet
o System takes the remainder of the actions in the firewall filter’s
then
 Specified rate limit has been exceeded and both policer’s then and
firewall filter’s then define action modifiers
o System uses the policer’s action modifiers

Case study

Output filter
set firewall family inet filter output-ff term deny-spoofed from source-address
0.0.0.0/0
set firewall family inet filter output-ff term deny-spoofed from source-address
172.27.102.0/24
set firewall family inet filter output-ff term deny-spoofed then log
set firewall family inet filter output-ff term deny-spoofed then discard

set firewall family inet filter output-ff term else-accept then count outbound-
accepted
set firewall family inet filter output-ff term else-accept then accept

Input filter
set policy-options prefix-list internal-prefixes 172.27.102.0/24

set firewall family inet filter input-ff term deny-spoofed from source-prefix-
list internal-prefixes
set firewall family inet filter output-ff term deny-spoofed then log
set firewall family inet filter output-ff term deny-spoofed then discard

set firewall family inet filter input-ff term allow-established-sessions from

protocol tcp

©SecureLink Confidential Page 51 of 54

set firewall family inet filter input-ff term allow-established-sessions from
protocol tcp-established
set firewall family inet filter input-ff term allow-established-sessions then
accept

set firewall family inet filter input-ff term allow-some-icmp from protocol
icmp
set firewall family inet filter input-ff term allow-some-icmp from protocol
icmp-tpe [echo-reply time-exceeded unreachable]
set firewall family inet filter input-ff term allow-some-icmp then accept

set firewall family inet filter input-ff term else-discard then count inbound-
discarded
set firewall family inet filter input-ff term else-discard discard

Applying the filters

set interfaces ge0/0/1 unit 0 family inet filter input input-ff
set interfaces ge0/0/1 unit 0 family inet filter output output-ff
set interfaces ge0/0/1 unit 0 family inet address 172.30.25.2/30

Automated antispoofing filters

 Unicast reverse path-forwarding checks validate packet receipt on interfaces where Junos would
expect to receive such traffic
 By default: the system expects to receive traffic on a given interface if it has an active route to the
packet’s source address and if it received the packet on the interface that is the next hop for the
active route to the packet’s source address
 Junos accomplishes unicast RPF checks by downloading additional information to the PFE
o Activating this feature increases PFE memory usage

Strict versus loose

 By default: strict mode RPF mode
 Loose mode: checks only to ensure a valid route to the source address exists in the routing table

Active versus feasible paths

 By default: considers only the active routes to a given destination
 Asymmetric routing: tis design can cause legitimate traffic to be dropped

©SecureLink Confidential Page 52 of 54

 o Require the system to consider all feasible routes to a destination when it performs the
RPF check
 Typically you configure only edge devices to perform RPF checking
o All inbound and outbound spoofing passes through that device

Fail filters
 A packet has failed the RPF check --> discard it
 Specify an optional fail filter
o Processes packets that fail the RPF check through that filter prior to discarding them
o Perform all actions and action modifiers you could in any other firewall filter
 Accepting the traffic despite the packet failing the RPF check

©SecureLink Confidential Page 53 of 54

QUESTIONS
1. What are some common firewall filter actions and what does each action do?
 Accept: accepts the packet and continues the input or output processing of the packet
 Discard: silently rejects the packet
 Reject: drops the packet and sends ICMP message to the source address
 Next term: causes Junos to evaluate the next term and is usually used when using a
policer and still want the traffic to be evaluated by the rest of the filter
2. What is the default action for packets the software does not accept through an applied firewall
filter?
 The default action for packets not explicitly permitted through a firewall filter is discard
3. What is the purpose of unicast RPF?
 Unicast RPF automates antispoofing on a device running Junos

©SecureLink Confidential Page 54 of 54