Afenioux's Blog page

3am; darkness; Maintenance window closing. Safety net: rollback.

  • Home
  • Archives 2014

Juniper basics

Written by Arnaud no comments
 
First step is to read these "day one" free books : http://www.juniper.net/us/en/community/junos/training-certification/day-...
I choosed Configuring Junos Basics, and Junos for IOS Engineers.
 
 
Now, let's get a Switch! for my first try I had 2 QFX5100 : https://twitter.com/afenioux/status/496269731171946497
 
The default login is "root" and there is no password, once logged in, type "cli" to enter into the Juniper CLI.
 
 
Show status and desc of the interfaces :
show interfaces descriptions
 
Enter "config mode" :
edit
 
Show binding with agregated ethernet interface (PortChannel), we use "run" in edit mode (like a cisco "do"):
run show interfaces terse
 
Show config in indented mode
show configuration
 
Show config as you would type it:
show configuration | display set
 
You can double pipe and use match (cisco "include"):
show configuration | display set | match interface
 

Set a description to an interface, and show its config:
edit interface  xe-0/3/6
set description "my INT description"
show

Shutdown an interface (you are not obliged to edit into the interface mode):
set interfaces xe-0/3/2 disable

See you modifications before commiting:
show | compare

Apply your configuration changes
commit

Apply you configuration, and schedule a rollback (by default) in 10 min :
commit confirmed
Check your config before commit (or confirm commit after a "commit confirmed"):
commit check
 
See the configuration history:
show system commit
 
"deactivate" comment the config, good for tests, delete is delete : 
deactivate system syslog
delete system syslog
 
Activate SSH to login, and set an IP on the managment interface (with a default route) :
set system services ssh
set interfaces vme unit 0 family inet address 192.168.1.100/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1
 
Show random (but usefull) tips:
help tip cli
 
List the Serial numbers and the type of all components (SFP / FPC (LineCard) / PFE (Switch Fabric)/ PS...):
show chassis hardware
 
Show optical level and power information of an optic:
show interfaces diagnostics optics xe-0/2/3
 
Start a shell (with your id or as root)
start shell
start shell user root
 
Show all log (but only last lines) :
show log messages | last
 
enable/disable debuging (caution!) in is example we "tail" the messages logs :
monitor start messages
monitor stop messages
 
Watch interface statistics in live :
monitor interface xe-0/3/6 
 
Classified in : junIPer Tags : none

IRR/RIPE database documentation

Written by Arnaud no comments

get help to query RIPE Database :

telnet whois.ripe.net 43
help

Documentation page : http://www.ripe.net/data-tools/support/documentation

Query flags cheatsheet : http://www.ripe.net/data-tools/support/documentation/queries-ref-card

some aliases I use in my bashrc :

alias cymru='whois -h whois.cymru.com -v'
alias ripe='whois -h whois.ripe.net -r'
alias ntt='whois -h rr.ntt.net -r'
alias radb='whois -h whois.radb.net -r'
Classified in : MISC Tags : none

L2 ACL / MAC ACL vs Port Security

Written by Arnaud no comments

Cisco devices can filter mac addesses inbund with port-security or ACL, but remember ACL are checked on hardware with ASICS on the ports, and Port Security is checked in soft (and can cause big trubble when used in restrict/protect mode when many violations occur):

---Port-security on cat 6500---

in the example we allow 100 mac addresses on this trunk port, but only 2 specific mac on the vlan 4 (interface conf mode): 

 switchport port-security
 switchport port-security maximum 100
 switchport port-security maximum 2 vlan 4
 switchport port-security mac-address 0000.1111.2222 vlan 4
 switchport port-security mac-address 0000.1111.3333 vlan 4
 
But default, if the maximum mac addresses is reached, the port will be shutdown, you can auto-reenable the port after an amount of time with (global config mode):
 errdisable recovery cause psecure-violation
 errdisable recovery interval 300

You can also choose other actions if a port violation occurs (interface conf mode):

switchport port-security violation { protect | restrict | shutdown }
protect : Drops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count.
restrict : Drops all the packets from the insecure hosts at the port-security process level and increments the security-violation count.
shutdown :Shuts down the port if there is a security violation.
 
---MAC ACL on Cat6500---
We have to specify the mac ACL first, as you can see, we can specify by VLAN (global config mode) :

 
mac access-list extended MY-ACL
 permit host 0123.4567.8910 any ip vlan 100
 permit host 0123.4567.8911 any 
 
NB : You can apply mac filtering on a lot of protocols/options
 
And apply on the interface :
 mac access-group MY-ACL in
 
---Sources---
Classified in : cisco Tags : none

Enable SSH && disable telnet

Written by Arnaud no comments

Telnet is "bad", this is how to enable ssh and disable telnet login, and BTW we only want ssh v2 as v1 is vulnerable to several attacks:
When asked choose a least 1024bits for the key

hostname switch
ip domain-name mydomain.tld
aaa new-model
crypto key generate rsa
ip ssh version 2
line vty 0 15
 transport input ssh

Remember to add ACL, this is always a good thing

access-list 99 permit 192.0.2.0 0.0.0.255
ipv6 access-list ACL-RESTRICTED-IN
 permit ipv6 2001:db8::/32 any

line vty 0 15
 access-class 99 in
 ipv6 access-class ACL-RESTRICTED-IN in

when you create your ACL, remember it's even better to only accept login from your network

Source and nice explanation of the banners : http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/...

OH! BTW if you use clogin/rancid to log into your equipments, make sure your MOTD does not have any # or the auto-enable won't work...
I told you : MOTD (with #) + SSH + clogin = no auto enable

 
Classified in : cisco Tags : none

BGP references

Written by Arnaud no comments
 
I have put here lots of links I use for my presentations, and that could be interresting for anyone :
 
PDF Slides of my BGP workshops (in French)
 
What is Peering?
 
BGP Convergence explained (very nice post)
 
Wonderful cheat sheet (not only BGP!)
 
BGP Best Path Selection Algorithm
 
Examples conf BGP
 
BGP syntaxe and attributs
 
Sample BGP Commands for Cisco Systems
 
Performances routing cisco
 
 
Cisco Feature Navigator
 
Stats transits AS
 
peering DB
 
RIPE DB
 
simulator router cisco
 
looking glass
 
BGPlay
 
ANSSI  (French):
 
Draft IETF BCP BGP:
 
PEVAL  :"peval as199422" or "peval afi ipv6 AS199422"
 
BGP well-known communities RFC 1997 &3765:
65535:65281 NO_EXPORT
65535:65282 NO_ADVERTISE
65535:65283 NO_EXPORT_SUBCONFED
65535:65284 NOPEER
 
IANA ASN allocation :
 
Lolz :
Video IPv6
The IT Crowd
 
Classified in : BGP Tags : none
Rss feed of the articles