Masood Ahmad Shah

L2VPN Taxonomy

 

 

JUNOS Candidate Configuration and Explicit Commits

One of my longtime gripes about IOS is that when you type a new statement to the CLI and hit return, the statement immediately becomes active on the router. For someone as mistake-prone as me, this is a big risk. And given that the majority of network problems are due to human error rather than hardware and software failures, it is a risk for everyone.

This can also be a problem when you’re making extensive configuration changes. Having those changes take effect one statement at a time can introduce all sorts of transient conditions.

The Candidate Configuration and Explicit Commits:

This leads, in contrast, to one of my favorite JUNOS features: When you make a configuration change, the change does not take effect immediately. Instead, it goes into a candidate configuration file. You can make as many configuration additions, deletions, and changes as you like, and none of them become active on the router until you enter a commit command. That command causes the candidate configuration to become the active configuration.

The candidate configuration and explicit commit help tremendously in reducing the number of simple human errors that plague day-to-day network operations. You can make all your changes, check them as many times as you like during the configuration process, and only commit them when you are ready and are sure the changed configuration looks right.

Scripting and Customization in JUNOS

JUNOS software (Juniper's) is a highly useful nework operating system for any network engineer to achieve goals. In JUNOS, there are times when you can enter all the individual lines of a configuration correctly, and the configuration can still be wrong.  That is, the combination of commands do not work correctly together or there's something missing among the lines.

In the following example, I set up a very simple BGP configuration. First, I move from the top of the hierarchy to a BGP peering group that I’ve named External_Peer. I didn't have to use the set command to create this group; just by moving to that level, the group is created for me. Next, I specify a neighbor at 172.16.1.5. Then I specify that the neighboring autonomous system for the group is 65500. Finally, I specify that an export policy named External_Peer_Policy is used to modify or filter routes sent (exported) to the neighbor. When I’m done, I return to the top of the configuration hierarchy.

At each configuration line JUNOS accepts the entries, indicating that I have not made any mistakes (extraordinary for me) :)

jahil@junos# edit protocols bgp group External_Peer

[edit protocols bgp group External_Peer]
jahil@junos# set neighbor 172.16.1.5

[edit protocols bgp group External_Peer]
jahil@junos# set peer-as 65502

[edit protocols bgp group External_Peer]
jahil@junos# set export External_Peer_Policy

[edit protocols bgp group External_Peer]
jahil@junos# top

[edit]
jahil@junos#

But then when I try to commit the configuration, JUNOS objects:

jahil@junos# commit             
error: Policy error: Policy External_Peer_Policy referenced but not defined

[edit protocols bgp group External_Peer]
'export'
BGP: export list not applied
error: configuration check-out failed

[edit]
jahil@junos#

It’s telling me that the export policy I referenced in my BGP configuration does not exist anywhere in the configuration. (It should be found somewhere under the [edit policy-options] level).

When the commit command is invoked, JUNOS runs a set of scripts that examine the candidate configuration. If some situation is found, like the one I just showed you, in which the various lines of the configuration do not work together, the commit fails and an error message is displayed explaining why the commit failed.

By the way, you can use the  commit check command to tell JUNOS to run the scripts against the candidate configuration without attempting a commit. That’s very useful if you’re adding a bunch of new statements to the configuration and want the scripts to occasionally check your work as you go.

Recover BGP password (Juniper JUNOS)

# Get a root shell:

jahil@junos> start shell

% su - root

Password:

jahil@jahil%

# View the contents of /var/etc/keyadmin.conf

jahil@jahil% less /var/etc/keyadmin.conf

tcp 179 0.0.0.0 10.0.0.1 md5 instance default 0x6162636431323334

tcp 179 :: 2001:DB8:1::1 md5 instance default 0x313233717765727479

# Run the following command on a system with Perl :

jahil@jahil:~>perl -e 'print "Hex: ";$_=<>;print "MD5: ";s/(\w\w)/\1:/g;for (split(/:/)) {printf "%s", chr(hex($_))};print "\n"'

Hex: 0x6162636431323334

MD5: abcd1234

jahil@jahil:~>perl -e 'print "Hex: ";$_=<>;print "MD5: ";s/(\w\w)/\1:/g;for (split(/:/)) {printf "%s", chr(hex($_))};print "\n"'

Hex: 0x313233717765727479

MD5: 123qwerty

That's it! Many thanks for the person who provided me this code and to the person who developed it :)

The beauty of Juniper JUNOS

I'm actually a Cisco/Unix geek. But I'm working on some giant Juniper routers now a days. The beauty of Juniper router opearting system (JUNOS) is, indeed, based on FreeBSD. Upgrading opearting system is my favorite things, because I love impressive new features. I come from a unix background where such a thing is easily allowed. I'm gonna write a way how to fill USB devices with Junos software.

In Next Generation RE, upgrade from USB devices is available. You must have at least RE-A-1000 or RE-A-2000 to perform upgrade from USB devices.

Below is the simple manual:

The device name is /dev/rda0 instead of /dev/rad3.
jahil@jahil> start shell

Log into directory where the install media file is (ie: /var/tmp/)
jahil@jahil% cd <directory>

Issue the following commands:
jahil@jahil% dd if=/dev/zero of=/dev/rda0 count=20 ; initialize the media
jahil@jahil% dd if=install-media-9.1R2.4-export of=/dev/rda0 bs=64k ;

Finished

Create a direct shortcut to Network Connections (Windows Vista)

The new Network and Sharing Center in Windows Vista is great for the average Windows user but can be a huge headache for advanced users. When I need to make a change to my network settings I don't want to be forced to go through the networking interface for the average non-technical users.  I want to go right to the settings screen and make the change.

I am a big fan of the old Windows XP network approach where I could modify all of the network settings and connect to wireless network from the Network Connections screen.  In Windows Vista, the Network Connections screen still exists, but you have to go through the Network and Sharing Center screen first.  Using a very useful explorer trick I discovered when playing with "::" and explorer class IDs, you can create a shortcut that will take you directly to the Network Connections screen.

1. Right click on the desktop and select New and then Shortcut.
2. In the location box, copy and paste                         explorer.exe ::{7007ACC7-3202-11D1-AAD2-00805FC1270E} and hit Next.
3. Type in Network Connections or whatever as the name and Finish.

 

JNCIS-M Certification Cleared

 

so finally cleared Juniper’s JNCIS-M exam today. I hope to finish JNCIP-M within next 3-4 week. Wish me all the luck :)

Juniper Router On The Stick Configuration (JUNOS)

Router JAHIL is directly connected to a VLAN-capable switch and needs to be configured to talk to AHMIQ on one subnet and NAKAMA on another over the same Fast Ethernet port. The first step in configuring VLANs is to enable VLAN tagging on the physical interface, as shown below:

[edit interfaces fe-0/0/1]
lab@JAHIL# set vlan-tagging

[edit interfaces fe-0/0/1]
lab@JAHIL# show
vlan-tagging;
speed 100m;
link-mode full-duplex;

[edit interfaces fe-0/0/1]
lab@JAHIL#

The next steps are to create the units, assign the units to the appropriate VLAN, and then configure the IP addresses in the units. Since the scenario has VLANs 20 and 30, we can use those numbers for simplicity, but the unit number, as we have discussed, is up to the network administrator. It does make sense, however, to give the unit number some kind of significance for ease of use.

[edit interfaces fe-0/0/1]
lab@JAHIL# set unit 20 vlan-id 20

[edit interfaces fe-0/0/1]
lab@JAHIL# set unit 20 family inet address 1.1.1.1/24

[edit interfaces fe-0/0/1]
lab@JAHIL# set unit 30 vlan-id 30 family inet address 2.2.2.2/24

[edit interfaces fe-0/0/1]
lab@JAHIL# show
vlan-tagging;
speed 100m;
link-mode full-duplex;
unit 20 {
    vlan-id 20;
    family inet {
        address 1.1.1.1/24;
    }
}
unit 30 {
    vlan-id 30;
    family inet {
        address 2.2.2.2/24;
    }
}

[edit interfaces fe-0/0/1]
lab@JAHIL#

Fast Ethernet 0/0/1 now has two logical units configured in VLANs on unit 20 and unit 30.

How to recover password on Juniper Router's

In the real world, you always have a chance to lose a password. Recovring root password can be done by booting Juniper router under a specific mode: Single-User-Mode

 

·        From console, interrupt the boot routine:

 

prompt.

 

·        Enter into single-user mode:

 

·        Enter the shell:

 

·        Mount the virtual file systems (for JUNOS 5.4 and above, it is not

necessary to mount the jbase package, however the other packages still need to be mounted):

(with ^D)

 

·        Enter recovery mode:

 

·        Enter configuration mode and either delete or change the root

authentication password:

 

·        Commit the changes, and exit configuration mode

Exit recovery mode and enter "y" when prompted to reboot the system:

The system now reboots and changes made to root authentication are activated.

Retrieved from "http://juniper.cluepon.net/index.php/Password_recovery"

 

Goosh.org Unix-like Shell For Google

goosh.org - the unofficial google shell. This google-interface behaves similar to a unix-shell.
You type commands and the results are shown on this page.

=> http://goosh.org

Cisco && Magic Question Mark (?)

In Cisco IOS, Every mode (user mode, privileged mode etc) has help system built in. You can use the magic question mark (?) in user mode as well as in sub-configuration mode.

What if you want to use question mark (?) in description or aspath-regex. :)

Well, to write a question mark in IOS, the escape sequence CTRL-V or ESC-Q must be entered first, otherwise the IOS parser will interpret the question mark as an attempt to invoke the context sensitive help.

JAHIL#conf t     
Enter configuration commands, one per line.  End with CNTL/Z.
JAHIL(config)#int
JAHIL(config)#interface gi3/0/0
JAHIL(config-if)#des
JAHIL(config-if)#description ?
  LINE  Up to 240 characters describing this interface

JAHIL(config-if)#description

You see, when you write ? this will bring you to the help menu. What if you really want to write description along with ?. You can use CTRL-V or ESC-Q.

JAHIL#conf t     
Enter configuration commands, one per line.  End with CNTL/Z.
JAHIL(config)#int
JAHIL(config)#interface gi3/0/0
JAHIL(config-if)#des
JAHIL(config-if)#description (now press CTRL-V or ESC-Q)
JAHIL(config-if)#description ?IGotIt (oh it worked)

You can use CTRL-V or ESC-Q whenever or wherever it's needed :)

Cisco URL Blocking/Filtering

NBAR can be used to apply application based filters such as blocking youtube.com traffic. To accomplish this we can categorize traffic based on the HTTP hostname. Next we will create a policy-map that matches the youtube.com class and drops the traffic. Lastly the policy is applied outbound to the Internet. Syntax-wise this would read:

JAHIL-Router#
class-map match-all YOUTUBE
 match protocol http host "*youtube.com*"
!
policy-map DROP_YOUTUBE
 class YOUTUBE
   drop
!
interface FastEthernet0/0
 description TO INTERNET
 service-policy output DROP_YOUTUBE

How to Netflow with Csico 6500

The post has been written to answer Mr Drew's asked question. 

The NetFlow table on the route processor (RP) captures statistics for flows routed in software and the NetFlow table on the PFC (and on each DFC) captures statistics for flows routed in hardware. In PFC3A mode, NetFlow collects statistics only for routed traffic. With other PFCs, you can configure NetFlow to collect statistics for both routed and bridged traffic.

mls netflow

(Enables NetFlow on the PFC for packets forwarded in hardware) 
 

mls flow ip interface-full

(interface-full—The most-specific flow mask. The PFC creates and maintains a separate table entry for each IP flow on an interface. An interface-full entry includes the source IP address, destination IP address, protocol, and protocol ports.)

interface Vlan5
description Jahil-Flow-Test
 

ip route-cache flow

( Enables NetFlow for the specified interface. Netflow will collect statistics for packets for forwarded in software (RP) only.)
 

ip flow ingress

(Enables NetFlow for the specified interface. NetFlow will collect statistics for packets forwarded in hardware (PFC) or software (RP).)
 

no mls flow ipv6

( You can disable it for couple of years :)

If you want to enable NetFlow for ingress-bridged IP traffic in VLAN 5:

6500# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
6500(config)# ip flow ingress layer2-switched vlan 5

Note:

• mls netflow captures all traffic that is hardware switched, so make sure to catch anything that is CPU routed turn on "ip route-cache flow" on all possible interfaces that flows may be coming inbound.
• The flow mask determines the granularity of the statistics gathered, which controls the size of the NetFlow table. The less-specific flow masks result in fewer entries in the NetFlow table and the most-specific flow masks result in the most NetFlow entries.

How To Change Windows (Default Gateway/Route)

 

If you are using Windows (2000, XP, Vista and want to change the default gateway (default route); you can use the command below...

 c:\> route change 0.0.0.0 mask 0.0.0.0 x.x.x.x -p ( -p makes a route persistent across boot of the system)

:) (CCIE) :(

I just finished Vol 1 Bridging and Switching labs... again. I'm redoing all of Vol 1 labs, and repeating once more the ones I wasn't able to do without consulting the Doc cd or the lab solutions. My idea is to have an absolute mastership in all technologies focused on Vol 1's labs, before moving on to Vol 2.

Volume 1 labs are great to "solidify" my knowledge of a given technology. Vol 2 labs will surely continue to do this, but I'm hoping that Vol 2's labs will help me to understand exactly what I have to configure for a given requirement (specified in plain text).

From what I've read on Groupstudy's CCIE lab list, Cisco has the habit of formulating requirements with subtle indications of what's really pretended. So, it's not sufficient to master the technology, it's also needed to understand EXACTLY what Cisco wants you to do on their lab exam.

I've also started to use the Doc cd (actually I'm using the online doc cd). Since this is going to be the only reference I'll have during the actual lab, I want to know it inside out. From what I've read so far, this is a great resource. My knowledge in those little details that may matter someday has been increasing a lot.