Afenioux's Blog page

3am; darkness; Maintenance window closing. Safety net: rollback.

Juniper basics

Written by Arnaud no comments
First step is to read these "day one" free books :
I choosed Configuring Junos Basics, and Junos for IOS Engineers.
Now, let's get a Switch! for my first try I had 2 QFX5100 :
The default login is "root" and there is no password, once logged in, type "cli" to enter into the Juniper CLI.
Show status and desc of the interfaces :
show interfaces descriptions
Enter "config mode" :
Show binding with agregated ethernet interface (PortChannel), we use "run" in edit mode (like a cisco "do"):
run show interfaces terse
Show config in indented mode
show configuration
Show config as you would type it:
show configuration | display set
You can double pipe and use match (cisco "include"):
show configuration | display set | match interface

Set a description to an interface, and show its config:
edit interface  xe-0/3/6
set description "my INT description"

Shutdown an interface (you are not obliged to edit into the interface mode):
set interfaces xe-0/3/2 disable

See you modifications before commiting:
show | compare

Apply your configuration changes

Apply you configuration, and schedule a rollback (by default) in 10 min :
commit confirmed
Check your config before commit (or confirm commit after a "commit confirmed"):
commit check
See the configuration history:
show system commit
"deactivate" comment the config, good for tests, delete is delete : 
deactivate system syslog
delete system syslog
Activate SSH to login, and set an IP on the managment interface (with a default route) :
set system services ssh
set interfaces vme unit 0 family inet address
set routing-options static route next-hop
Show random (but usefull) tips:
help tip cli
List the Serial numbers and the type of all components (SFP / FPC (LineCard) / PFE (Switch Fabric)/ PS...):
show chassis hardware
Show optical level and power information of an optic:
show interfaces diagnostics optics xe-0/2/3
Start a shell (with your id or as root)
start shell
start shell user root
Show all log (but only last lines) :
show log messages | last
enable/disable debuging (caution!) in is example we "tail" the messages logs :
monitor start messages
monitor stop messages

Watch interface statistics in live :
monitor interface xe-0/3/6 
Classified in : junIPer Tags : none

IRR/RIPE database documentation

Written by Arnaud no comments

get help to query RIPE Database :

telnet 43

Documentation page :

Query flags cheatsheet :

some aliases I use in my bashrc :

alias cymru='whois -h -v'
alias ripe='whois -h -r'
alias ntt='whois -h -r'
alias radb='whois -h -r'
Classified in : MISC Tags : none

L2 ACL / MAC ACL vs Port Security

Written by Arnaud no comments

Cisco devices can filter mac addesses inbund with port-security or ACL, but remember ACL are checked on hardware with ASICS on the ports, and Port Security is checked in soft (and can cause big trubble when used in restrict/protect mode when many violations occur):

---Port-security on cat 6500---

in the example we allow 100 mac addresses on this trunk port, but only 2 specific mac on the vlan 4 (interface conf mode): 

 switchport port-security
 switchport port-security maximum 100
 switchport port-security maximum 2 vlan 4
 switchport port-security mac-address 0000.1111.2222 vlan 4
 switchport port-security mac-address 0000.1111.3333 vlan 4
But default, if the maximum mac addresses is reached, the port will be shutdown, you can auto-reenable the port after an amount of time with (global config mode):
 errdisable recovery cause psecure-violation
 errdisable recovery interval 300

You can also choose other actions if a port violation occurs (interface conf mode):

switchport port-security violation { protect | restrict | shutdown }
protect : Drops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count.
restrict : Drops all the packets from the insecure hosts at the port-security process level and increments the security-violation count.
shutdown :Shuts down the port if there is a security violation.
---MAC ACL on Cat6500---
We have to specify the mac ACL first, as you can see, we can specify by VLAN (global config mode) :

mac access-list extended MY-ACL
 permit host 0123.4567.8910 any ip vlan 100
 permit host 0123.4567.8911 any 
NB : You can apply mac filtering on a lot of protocols/options
And apply on the interface :
 mac access-group MY-ACL in
Classified in : cisco Tags : none

Enable SSH && disable telnet

Written by Arnaud no comments

Telnet is "bad", this is how to enable ssh and disable telnet login, and BTW we only want ssh v2 as v1 is vulnerable to several attacks:
When asked choose a least 1024bits for the key

hostname switch
ip domain-name mydomain.tld
aaa new-model
crypto key generate rsa
ip ssh version 2
line vty 0 15
 transport input ssh

Remember to add ACL, this is always a good thing

access-list 99 permit
ipv6 access-list ACL-RESTRICTED-IN
 permit ipv6 2001:db8::/32 any

line vty 0 15
 access-class 99 in
 ipv6 access-class ACL-RESTRICTED-IN in

when you create your ACL, remember it's even better to only accept login from your network

Source and nice explanation of the banners :

OH! BTW if you use clogin/rancid to log into your equipments, make sure your MOTD does not have any # or the auto-enable won't work...
I told you : MOTD (with #) + SSH + clogin = no auto enable

Classified in : cisco Tags : none

BGP references

Written by Arnaud no comments
I have put here lots of links I use for my presentations, and that could be interresting for anyone :
PDF Slides of my BGP workshops (in French)
What is Peering?
BGP Convergence explained (very nice post)
Wonderful cheat sheet (not only BGP!)
BGP Best Path Selection Algorithm
Examples conf BGP
BGP syntaxe and attributs
Sample BGP Commands for Cisco Systems
Performances routing cisco
Cisco Feature Navigator
Stats transits AS
peering DB
simulator router cisco
looking glass
ANSSI  (French):
PEVAL  :"peval as199422" or "peval afi ipv6 AS199422"
BGP well-known communities RFC 1997 &3765:
65535:65281 NO_EXPORT
65535:65282 NO_ADVERTISE
65535:65284 NOPEER
IANA ASN allocation :
Lolz :
Video IPv6
The IT Crowd
Classified in : BGP Tags : none
Rss feed of the articles