JUNOS Enterprise Routing by Doug Marschke; Harry Reynolds Publisher: O'Reilly Pub Date: March 27, 2008 Print ISBN-13: 978-0-596-51442-6 Pages: 812 Table of Contents | Index Overview Written by the instructors and creators of the JNTCP-ER Certification Exams, JUNOS Enterprise Routing is the only comprehensive book for Juniper enterprise and edge routing environments It offers complete coverage of all the services available to the JUNOS administrator, including JUNOS Enhanced Services (ES) This book is the official study guide for all three Juniper Enterprise Routing certification exams, and is highly recommended reading to pass the exams With its fieldguide emphasis on practical solutions, you can easily take the book beyond the classroom and into working networks as a design, maintenance, and troubleshooting reference par excellence JUNOS Enterprise Routing covers all three certification exams in this track: Juniper Networks Certified Internet Associate (JNCIA-ER) Juniper Networks Certified Internet Specialist (JNCIS-ER) Juniper Networks Certified Internet Expert (JNCIE-ER) With more services such as voice, conference, and multicast on the IP router platform, the market for enterprise routers is growing exponentially, and the need for certified engineers to keep up with network developments in protocols and security is paramount For everyone who works with Juniper enterprise and edge routing environments, this is a must-have book JUNOS Enterprise Routing by Doug Marschke; Harry Reynolds Publisher: O'Reilly Pub Date: March 27, 2008 Print ISBN-13: 978-0-596-51442-6 Pages: 812 Table of Contents | Index Foreword Credits Preface Chapter 1 Introduction to JUNOS Enterprise Routing Section 1.1 JUNOS Overview Section 1.2 CLI Review Section 1.3 Advanced CLI and Other Cool Stuff Section 1.4 Conclusion Section 1.5 Exam Topics Section 1.6 Chapter Review Questions Section 1.7 Chapter Review Answers Chapter 2 Interfaces Section 2.1 Permanent Interfaces Section 2.2 Transient Interfaces Section 2.3 Interface Properties Section 2.4 Interface Configuration Examples Section 2.5 Interface Troubleshooting Section 2.6 Conclusion Section 2.7 Exam Topics Section 2.8 Chapter Review Questions Section 2.9 Chapter Review Answers Chapter 3 Protocol Independent Properties and Routing Policy Section 3.1 Protocol Independent Properties Section 3.2 Routing Policy Section 3.3 Conclusion Section 3.4 Exam Topics Section 3.5 Chapter Review Questions Section 3.6 Chapter Review Answers Chapter 4 Interior Gateway Protocols and Migration Strategies Section 4.1 IGP Overview Section 4.2 RIP Deployment Scenario Section 4.3 IGP Migration Section 4.4 Overlay Migration Scenario: RIP to OSPF Section 4.5 EIGRP-to-OSPF Migration Section 4.6 Conclusion Section 4.7 Exam Topics Section 4.8 Chapter Review Questions Section 4.9 Chapter Review Answers Chapter 5 Border Gateway Protocol and Enterprise Routing Policy Section 5.1 What Is BGP? Section 5.2 Internal and External BGP Section 5.3 BGP and the Enterprise Section 5.4 Asymmetric Link Speed Support Section 5.5 BGP Deployment: Asymmetric Load Balancing Section 5.6 Enterprise Routing Policy Section 5.7 Multihome Beer-Co Section 5.8 Inbound Policy Section 5.9 Conclusion Section 5.10 Exam Topics Section 5.11 Chapter Review Questions Section 5.12 Chapter Review Answers Chapter 6 Access Security Section 6.1 Security Concepts Section 6.2 Securing Access to the Router Section 6.3 Firewall Filters Section 6.4 Spoof Prevention (uRPF) Section 6.5 Monitoring the Router Section 6.6 Conclusion Section 6.7 Exam Topics Section 6.8 Chapter Review Questions Section 6.9 Chapter Review Answers Chapter 7 Introduction to JUNOS Services Section 7.1 JUNOS Services Section 7.2 Layer 2 Services Section 7.3 Layer 3 Services Section 7.4 Layer 3 Services Configuration Section 7.5 Additional Service Options Section 7.6 Conclusion Section 7.7 Exam Topics Section 7.8 Chapter Review Questions Section 7.9 Chapter Review Answers Chapter 8 Advanced JUNOS Services Section 8.1 Route Tables and Next Hop Service Sets Section 8.2 IPSec VPNs Section 8.3 NAT Section 8.4 Combining Services Section 8.5 The Life of a Packet Section 8.6 Conclusion Section 8.7 Exam Topics Section 8.8 Chapter Review Questions Section 8.9 Chapter Review Answers Chapter 9 Class of Service Section 9.1 What Is IP CoS, and Why Do I Need It? Section 9.2 IP Differentiated Services Section 9.3 M7i and J-Series CoS Capabilities Section 9.4 DiffServ CoS Deployment and Verification Section 9.5 J-Series Adaptive Shapers and Virtual Channels Section 9.6 Conclusion Section 9.7 Exam Topics Section 9.8 Chapter Review Questions Section 9.9 Chapter Review Answers Chapter 10 IP Multicast in the Enterprise Section 10.1 What Is Multicast? Section 10.2 Multicast Protocols Section 10.3 PIM Sparse Mode: Static RP Section 10.4 Configure PIM Sparse Mode with Bootstrap RP Section 10.5 PIM-Based Anycast-RP Section 10.6 Conclusion Section 10.7 Exam Topics Section 10.8 Chapter Review Questions Section 10.9 Chapter Review Answers Chapter 11 JUNOS Software with Enhanced Services Section 11.1 JUNOS Software with Enhanced Services Overview Section 11.2 Migrating from JUNOS to JUNOS Software with Enhanced Services Section 11.3 Service Migration Case Study: JUNOS to JUNOS Software with Enhanced Services Section 11.4 Conclusion Section 11.5 Exam Topics Section 11.6 Chapter Review Questions Section 11.7 Chapter Review Answers Glossary Colophon Index JUNOS Enterprise Routing by Doug Marschke and Harry Reynolds Copyright © 2008 Doug Marschke and Harry Reynolds All rights reserved Printed in the United States of America Published by O'Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472 O'Reilly books may be purchased for educational, business, or sales promotional use Online editions are also available for most titles (safari.oreilly.com) For more information, contact our corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com Editor: Mike Loukides Developmental Editor: Patrick Ames Production Editor: Sumita Mukherji Copyeditor: Audrey Doyle Proofreader: Mary Brady Indexer: Angela Howard Cover Designer: Karen Montgomery Interior Designer: David Futato Illustrator: Jessamyn Read Printing History: March 2008: First Edition Nutshell Handbook, the Nutshell Handbook logo, and the O'Reilly logo are registered trademarks of O'Reilly Media, Inc JUNOS Enterprise Routing, the image of Tengmalm's owl, and related trade dress are trademarks of O'Reilly Media, Inc Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks Where those designations appear in this book, and O'Reilly Media, Inc was aware of a trademark claim, the designations have been printed in caps or initial caps While every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein This book uses RepKover™, a durable and flexible lay-flat binding ISBN: 978-0-596-51442-6 [M] Foreword In 1998, Juniper Networks launched its first product, the M40 router, and in doing so sparked a period of innovation in IP routing that continues to accelerate Although the M40 was designed to carry Internet traffic for Internet service providers (ISPs), the benefits of IP networking were becoming apparent to other companies as well, and a short time later Juniper began to build routers with the specific goals of the rapidly developing IP business network market in mind The book you're holding exists to help you understand and implement the most critical elements of business networking using Juniper Networks routers running the JUNOS operating system JUNOS contains a set of powerful tools that allow intelligent policies to replace large amounts of basic configuration, which gives the engineer a brilliantly practical way to deploy services beyond simple routing JUNOS represents the most valuable contribution to networking that Juniper has made: it's reliable, flexible, secure, and simple to use, and an increasing numbers of businesses are finding that these qualities are compelling enough to move to Juniper and away from legacy "first-generation" routers and their less capable operating systems P2.1 Why Enterprise Routing? Many books have been written about JUNOS, but this book is unique in that it will prepare you to use JUNOS in an enterprisecentric sense Enterprise is a term that equipment manufacturers and others use to distinguish the internal networks of "normal" businesses from the typically larger ones run by service providers, phone companies, and other network providers Although there are, of course, similarities, every type of business requires its own unique set of capabilities from its network infrastructure regardless of its size: financial institutions have different needs from those of retail chains, which themselves differ from governments and universities Enterprise business networks are not simply small service provider networks Although some aspects of networking technology—such as faster interfaces and greater degrees of reliability—continue to be attributes of both environments, their design goals and operational techniques differ greatly A service provider usually maintains a network for the benefit of paying customers who produce revenue, whereas the network of an enterprise such as a bank has traditionally been viewed as an investment whose operational expense should be minimized This essential difference has meant that service providers have usually been seen as the custodians of network innovation, with enterprises reluctant to invest more than the bare minimum in their infrastructure because of the uncertainty of real return on their investment There are signs that this attitude is changing Companies in virtually every industry have embraced the idea that more effective use of their IT infrastructure can make them more competitive and efficient To that end, enterprise executives are increasingly interested in innovative ways to capitalize on their investments in data networks This trend is most pronounced in data-intensive industries such as banking, finance, and insurance, but it extends into even less obvious areas such as manufacturing and transportation Service provider and enterprise networks continue to be different in terms of their customer base and their relationship to technology, but networking in general is becoming increasingly important to the competitiveness of all types of companies Some of the most outstanding examples of the ways that networking can improve business fundamentals are those related to developments in IP routing, and many of those developments have recently come from Juniper Networks P2.2 Why Is Routing So Important? Routing is the hub around which all of IP connectivity revolves At the simplest level, routing establishes basic internetwork communications, implements an addressing structure that uniquely identifies each device, and organizes individual devices into a hierarchical network structure Traditionally, routers have also served as the media adapters that have connected remote offices to the headquarters via a WAN The most recent trend, though, is to see routers as the integration platforms for a wide variety of network enhancements such as security, policy, and services that extend the capabilities of IP to support telephony, video, legacy service integration, and other applications over a converged network This means the router has become the primary control point in the increasingly complex network environment, holding responsibility for service quality and security, monitoring and efficiency, and other attributes that allow networks to add value If you control the routers, you control the network This is true in a static network, of course, but even more so in today's typical case of a rapidly evolving enterprise, where migration to fully IP-based services is underway This book will show you how you can use Juniper routers to ease this migration and arrive at a more successful outcome with less work than other platforms would require This is important because although the basics of routing remain somewhat the same, the more advanced aspects are under constant development, and the authors have done a great job of showing you how to address the continually changing enterprise network environment Juniper has long understood that constant change is a fact of today's networks, and has worked to bring new levels of performance, dependability, and scalability to routing platforms and the software that runs them CIOs and IT departments realize that by deploying a more powerful, flexible tool at their networks' control points, they enable their networks to address new challenges more easily and economically, and that's the best way to support the competitiveness of their company P2.3 How This Book Will Help You Layer 3 services configuring intrusion detection services 2nd 3rd logging for service and post-service filters tracing for list of migrating to enhanced services packet considerations for RPM 2nd 3rd scaling of various deployments tunnel services services interface Services TRAPs, SNMP session (conversation), with stateful firewall session attribute object session timeouts session token sessions set command set date command set date ntp command 2nd set interfaces command set protocols command set system root-authentication command 2nd set system services ssh root-login allow command set system time-zone command set task accounting command 2nd severity level, syslog messages SFM (Switching and Forwarding Module) SFP (small form-factor pluggable transceiver) SGSN (Serving GPRS Support Node) SHA-1 (Secure Hash Algorithm 1) sham link shaping rate shaping, CoS 2nd shaping-rate command shared distribution tree, multicast shared scheduling and shaping shared tree SHDSL (symmetric high-speed digital subscriber line) shim header show bgp neighbor command show bgp summary command 2nd show chassis routing-engine command show class-of-service adaptive-shaper command show class-of-service classifier command show class-of-service command show class-of-service interface command 2nd 3rd show class-of-service rewrite-rule command show class-of-service scheduler-map command show class-of-service virtual-channel-group command show cli authorization command show command show configuration command 2nd show dialer command show firewall command 2nd show firewall log command show groups junos-defaults applications command show igmp interface command show igmp membership command show interface queue command show interfaces command 2nd 3rd show interfaces policers command show interfaces queue command 2nd 3rd show interfaces terse command show ip ospf database command show ip ospf interface command show ip ospf neighbor command show isdn command show log messages command show multicast route command show multicast rpf command show multicast scope command show multicast usage command show ntp associations command 2nd show ospf interface command show ospf interface detail command show ospf neighbor command 2nd show outq statistics command show pim bootstrap command show pim interfaces command show pim join command show pim neighbors command 2nd show pim rps command 2nd 3rd show pim source command show policer command show pppoe interfaces show rip neighbor command show route advertising-protocol command 2nd show route aspath-regex command show route command 2nd show route community command show route detail command show route hidden detail command show route martians command show route receive-protocol command 2nd show route receiving-protocol command 2nd show route resolution unresolved detail command show route table command 2nd show route-advertising protocol command show route-advertising protocol rip command show route-receiving protocol rip command show security command show security flow session command show security policies command show security zones command show service ipsec command show services command show services crtp command show services rpm command show services rpm probe-results command show services state-firewall command show snmp mib command show system processes command show system storage command show task memory command show vrrp summary command show vrrp track command SIB (Switch Interface Board) signaled path simplex interface single-mode fiber SIP (Session Initiation Protocol) / (slash), in interface name slash (/), in interface name "slow count to infinity" condition slow network convergence, with DV protocols SNA (System Network Architecture) SNMP (Simple Network Management Protocol) 2nd soft policing soft state software pseudointerface SONET (Synchronous Optical Network) Sonet-alarm TRAPs, SNMP source authentication source NAT with port translation 2nd 3rd without port translation 2nd source tree, multicast source-based tree sources, multicast sp interface Space bar, for command completion sparse mode, multicast 2nd 3rd 4th 5th 6th with bootstrap RP configuring troubleshooting verifying with static RP IGP connectivity, validating listening multicast process for multicast traffic, generating routers, configuring simulated receiver, configuring sparse-dense mode, multicast SPF (Shortest Path First) SPI (Security Parameter Index) SPID (Service Profile Identifier) split horizon, for RIP 2nd spoof prevention SPQ (strict-priority queuing) SPT (shortest-path tree) 2nd 3rd SQL (Structured Query Language) src point SS7 (Signaling System 7) SSAP (source service access point) SSB (System and Switch Board) SSGm (Secure Security gateway) device, converting to J-series router SSH (Secure Shell) 2nd SSH/TLS (Secure Shell with Transport Layer Security) SSL (Secure Sockets Layer) SSM (source-specific multicast) 2nd 3rd 4th SSP (Switch-to-Switch Protocol) SSRAM (synchronous static random access memory) standard AAL5 mode Start-up TRAPs, SNMP starvation stat MUX (statistical multiplexing) stateful firewall combining with NAT and IPSec over GRE enhanced services operating as with interface-style service set with NAT with next hop-style service set stateful firewall filter stateful firewall recovery stateless firewall filter stateless firewall recovery static IGMP membership static path static routes 2nd attributes for compared to aggregate routes 2nd compared to generated routes 2nd flags for floating static route next hop types for static RP discovery, PIM 2nd IGP connectivity, validating listening multicast process for multicast traffic, generating routers, configuring RPF, verifying simulated receiver, configuring with sparse mode static source NAT statistical multiplexing (stat MUX) STM (synchronous transport module) strict strict hop STS (synchronous transport signal) STU-C (SHDSL transceiver unit-central office) STU-R (SHDSL transceiver unit-remote) stub area, OSPF 2nd 3rd sub-LSP subnet mask subnets subrate value subroutine, routing policy summary link advertisement super-nets superuser (super-user) login class SVC (switched virtual connection) Symmetric active mode, NTP SYN flood attacks 2nd sysid (system identifier) syslog (system log) 2nd syslog action, firewall filters syslog logging Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] T-carrier T1 interface t1 media type T1 protocol t3 media type T3 protocol Tab key, for command completion TACACS+ (Terminal Access Controller Access Control System Plus) tail dropping 2nd tap interface TCM (tricolor marking) TCP (Transmission Control Protocol), xviii 2nd TCP port 179 TCP/UDP (Transmission Control Protocol/User Datagram Protocol) tcpdump utility TDMA (Time-Division Multiplex Access) TEI (Terminal Endpoint Identifier) Telnet terminal command terminating actions, firewall filters 2nd terms, in routing policy 2nd test command 2nd test policy command text synonyms, firewall filters then statement, routing policy through match type, route filter 2nd time-division multiplexed channel timeout timer TLV (tag length value) TNP (Trivial Network Protocol) token-bucket algorithm top command topology-driving routing policy ToS (type of service) 2nd totally stubby area, OSPF 2nd traceoptions logging traceroute command tracing 2nd in enhanced services PIM sparse mode with bootstrap RP tracing, Layer 3 services traffic engineering traffic engineering class traffic engineering class type traffic policing traffic sampling traffic shaping transient change transient interface 2nd channel number for chassis slot number for logical unit for media type of naming PIC slot number for port number for transit area type, OSPF 2nd transit router transit services, with BGP transit traffic, applying filters to 2nd transport mode TRAPs, SNMP 2nd triggered updates, for RIP 2nd troubleshooting BGP next hop reachability flow problem IBGP peering interfaces address configuration encapsulation mismatches path MTUs with looped interfaces PIM sparse mode with bootstrap RP protocol tracing for 2nd RIP deployment route preferences for EIGRP to OSPF migration routing loops, preventing multicast loops with BGP with next hop-style service set show route commands for trTCM (two-rate TCM) trunk mode trust zone Tspec object tunnel tunnel endpoint tunnel mode tunnel services tunnel services interface Tunnel Services PIC 2nd tunneling protocol twice NAT 2nd 3rd TX Matrix platform Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] U interface UDP (User Datagram Protocol), xviii UMTS (universal mobile telecommunications system) unauthorized login class UNI (user-to-network interface) unicast unit unnumbered interface untrust zone up command Update message update timer UPS (uninterruptible power supply) upstream traffic, multicast upto match type, route filter 2nd uRPF (unicast Reverse Path Forwarding) user template users authentication of configuring login class of permissions for UTC (Coordinated Universal Time) UTRAN (UMTS Terrestrial Radio Access Network) Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] VBR (variable bit rate) VC (virtual circuit) VCI (vapor corrosion inhibitor) VCI (virtual circuit identifier) VideoLAN program virtual channel group virtual channels, CoS 2nd 3rd virtual circuit address properties, of interface virtual link virtual path VLAN (virtual LAN) VLAN tagging VLAN-tagged frame VLSM/CIDR (Variable Length Subnet Masking/classless interdomain routing) voice traffic delay VPI (virtual path identifier) VPLS (virtual private LAN service) VPN (virtual private network) VR (virtual router) default VR preventing routing loops using 2nd VRF instance (VPN routing and forwarding instance) VRF table VRRP (Virtual Router Redundancy Protocol) 2nd VRRP events TRAPs, SNMP VT (virtual loopback tunnel interface) vt interface Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] WAN PHY (Wide Area Network Physical Layer Device) WAP (Wireless Application Protocol) warm standby WCDMA (Wideband Code Division Multiple Access) WDM (wavelength-division multiplexing) Web management web site resources Boolean grouping in routing policy "JUNOS Enhanced Services Migration Guide" JUNOS software documentation mgen/mrec utilities regex matching VideoLAN Wireshark analysis program weight-based scheduling, CoS well-known discretionary attribute, BGP well-known mandatory attribute, BGP WINS (Windows Internet Name Service) Wireshark analysis program, EIGRP supported by WRED (weighted RED) 2nd 3rd 4th 5th WRR (weighted round-robin) Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] XENPAK XENPAK module XENPAK-SR 10BASE-SR XENPAK XENPAK-ZR 10GBASE-ZR XENPAK XFP transceiver XML (Extensible Markup Language) XML schema XML tags, used by JUNOScript XOR (exclusive or) XPath XSLT (Extensible Stylesheet Language for Transformations) Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] zeroize ... daughters, Christina and Marissa, for once again understanding and accommodating my desire to engage in this project Also, special thanks to my managers at Juniper Networks, Corinne Rattay and Sreedhevi Sankar, for their understanding and. .. Thanks also to Matt Kolon, for taking time from his busy schedule to evaluate the material, and for his inspirational Foreword And last but not least, special thanks to Jason Rogan and Patrick Ames for their assistance and behind-the-scenes... book possible, and others have assisted us with their technical accuracy, typographical excellence, and editorial inspiration Many thanks are owed to the official technical editors of this material Mario and Jack were extremely responsive to the demanding needs of our schedule