JUNOSCookbook
ByAvivaGarrett
...............................................
Publisher:O'Reilly
PubDate:April2006
PrintISBN-10:0-596-10014-0
PrintISBN-13:978-0-59-610014-8
Pages:682
TableofContents|Index
TheJuniperNetworksroutingplatformsarebecomingthego-tosolutionforcore,edge,
metroandremoteofficenetworks,andJUNOSsoftwareisbehinditall.Theoperating
systemissofullofindustrial-strengthroutingprotocolsandIPinnovationsthatthose
treadingintotheworldofJUNOSwillneedclarification,explanation,andashowcase
exampleortwo.Looknofurther.ThisJUNOSCookbookprovidesitallandmore.
Yes,youcanminethroughthe5,000pagesofdocumentationortakeatwo-thousanddollartrainingcourse,butJUNOS'sinterprocesssophisticationcanbebafflingunlessyou
knowtheshortcutsandtricks,aswellasthoseraysofilluminatingcomprehensionthat
cancomeonlyfromthosewholivewithit.JUNOSCookbookisthefirstcomprehensive
bookaboutJUNOSsoftwareanditprovidesover200time-savingstep-by-steptechniques
includingdiscussionsabouttheprocessesandalternativewaystoperformthesametask.
It'sbeentestedandtech-reviewedbyfieldengineerswhoknowhowtotakeJUNOSoutfor
aspinandit'sapplicabletotheentirelineofM-,T-,andJ-seriesrouters.JUNOSCookbook
willnotonlypayforitselfthefirstfewtimesyouuseit,itwillmakeyournetworkeasierto
manageandupdate.
"AvivaGarretthasdoneatremendousjobofdistillingthefeaturesofJUNOSsoftwareina
formthatwillbeusefulforawideaudience-students,fieldengineers,networkarchitects,
andothernetworkingprofessionalsalikewillbenefitfromthisbook.Formanypeople,this
istheonlybookonJUNOStheywillneed."
PradeepSindhu,CTOandFounder,JuniperNetworks
"Thiscookbookissuperb.AvivaGarretthasmasterfullyassembledacompletesetof
practicalreal-worldexampleswithstep-by-stepinstructions.Security,management,
routing:it'sallhere!"
StephenGill,ResearchFellow,TeamCymru
"Atechnicaltime-saverforanyNOCorSOCworkingwithJUNOS.It'sclear,concise,and
informativerecipesareareaninvaluableresource."
ScottA.McIntyre,SecurityOfficer,XS4ALLInternetB.V
JUNOSCookbook
ByAvivaGarrett
...............................................
Publisher:O'Reilly
PubDate:April2006
PrintISBN-10:0-596-10014-0
PrintISBN-13:978-0-59-610014-8
Pages:682
TableofContents|Index
Copyright
Foreword
Preface
Chapter1.RouterConfigurationandFileManagement
Introduction
Recipe1.1.ConfiguringtheRouterfortheFirstTime
Recipe1.2.ConfiguringtheRouterfromtheCLI
Recipe1.3.GettingExclusiveAccesstoConfiguretheRouter
Recipe1.4.DisplayingtheCommandstoRecreateaConfiguration
Recipe1.5.IncludingCommentsintheConfiguration
Recipe1.6.CheckingtheSyntaxoftheConfiguration
Recipe1.7.ActivatingtheRouterConfiguration
Recipe1.8.DebuggingaFailedCommit
Recipe1.9.ExitingConfigurationMode
Recipe1.10.KeepingaRecordofConfigurationChanges
Recipe1.11.DeterminingWhatChangesYouHaveMadetotheConfiguration
Recipe1.12.ConfiguringtheRouterbyCopyingaFilefromaServer
Recipe1.13.ConfiguringtheRouterbyCopyingTextfromaTerminalWindow
Recipe1.14.BackingUptheRouter'sConfiguration
Recipe1.15.SchedulingtheActivationofaConfiguration
Recipe1.16.ProvisionallyActivatingaConfiguration
Recipe1.17.LoadingaPreviousRouterConfiguration
Recipe1.18.CreatinganEmergencyRescueConfiguration
Recipe1.19.BackingUpFilesystemsonM-SeriesandT-SeriesRouters
Recipe1.20.BackingUpFilesystemsonJ-SeriesRouters
Recipe1.21.RestoringaBacked-UpFilesystem
Recipe1.22.InstallingaDifferentSoftwareReleaseonM-SeriesandT-Series
Routers
Recipe1.23.InstallingaDifferentSoftwareReleaseonJ-SeriesRouters
Recipe1.24.CreatinganEmergencyBootDisk
Recipe1.25.GatheringSoftwareVersionInformation
Recipe1.26.GatheringHardwareInventoryInformation
Recipe1.27.FindingOutHowLongtheRouterHasBeenUp
Recipe1.28.GatheringInformationBeforeContactingSupport
Recipe1.29.ManagingRouterswithSimilarConfigurations
Recipe1.30.ManagingRedundantRoutingEngines
Recipe1.31.UsingtheSecondRoutingEnginetoUpgradetoaNewSoftware
Version
Chapter2.BasicRouterSecurityandAccessControl
Introduction
Recipe2.1.AllowingAccesstotheRouter
Recipe2.2.ControllingRootAuthentication
Recipe2.3.LoggingIntotheRouter'sConsole
Recipe2.4.SettingtheLoginAuthenticationMethods
Recipe2.5.SettingUpLoginAccountsontheRouter
Recipe2.6.ChangingtheFormatofPlain-TextPasswords
Recipe2.7.ChangingthePlain-TextPasswordEncryptionMethod
Recipe2.8.CreatingaLoginAccountforRemoteAuthentication
Recipe2.9.CreatingaGroupLoginAccount
Recipe2.10.CustomizingAccountPrivileges
Recipe2.11.CreatingaPrivilegeClassthatHidesEncryptedPasswords
Recipe2.12.SettingUpRADIUSUserAuthentication
Recipe2.13.SettingUpTACACS+UserAuthentication
Recipe2.14.RestrictingInboundSSHandTelnetAccess
Recipe2.15.SettingtheSourceAddressforTelnetConnections
Recipe2.16.CreatingaLoginBanner
Recipe2.17.FindingOutWhoIsLoggedIntotheRouter
Recipe2.18.LoggingOutoftheRouter
Recipe2.19.ForciblyLoggingaUserOut
Chapter3.IPSec
Introduction
Recipe3.1.ConfiguringIPSec
Recipe3.2.ConfiguringIPSecDynamicSAs
Recipe3.3.CreatingIPSecDynamicSAsonJ-SeriesRoutersorRouterswithAS
PICs
Recipe3.4.UsingDigitalCertificatestoCreateDynamicIPSecSAs
Chapter4.SNMP
Introduction
Recipe4.1.ConfiguringSNMP
Recipe4.2.SettingRouterInformationfortheMIB-IISystemGroup
Recipe4.3.SettingUpSNMPTraps
Recipe4.4.ControllingSNMPAccesstotheRouter
Recipe4.5.UsingaFirewallFiltertoProtectSNMPAccess
Recipe4.6.ControllingAccesstoRouterMIBs
Recipe4.7.ExtractingSoftwareInventoryInformationwithSNMP
Recipe4.8.ExtractingHardwareInventoryInformationwithSNMP
Recipe4.9.CollectingRouterOperationalInformationwithSNMP
Recipe4.10.LoggingSNMPAccesstotheRouter
Recipe4.11.LoggingEnterprise-SpecificTraps
Recipe4.12.UsingRMONTrapstoMonitortheRouter'sTemperature
Recipe4.13.ConfiguringSNMPv3
Recipe4.14.TrackingRouterConfigurationChanges
Recipe4.15.SettingUpSNMPv3Traps
Chapter5.Logging
Introduction
Recipe5.1.TurningOnLogging
Recipe5.2.LimitingtheMessagesCollected
Recipe5.3.IncludingtheFacilityandSeverityinMessages
Recipe5.4.ChangingtheSizeofaLoggingFile
Recipe5.5.ClearingtheRouter'sLogfiles
Recipe5.6.SendingLogMessagestoYourScreen
Recipe5.7.SendingLoggingMessagestoaLogServer
Recipe5.8.SavingLoggingMessagestotheOtherRoutingEngine
Recipe5.9.TurningOffLogging
Recipe5.10.TurningOnBasicTracing
Recipe5.11.MonitoringInterfaceTraffic
Chapter6.NTP
Introduction
Recipe6.1.SettingtheDateandTimeontheRouterManually
Recipe6.2.SettingtheTimeZone
Recipe6.3.SynchronizingTimeWhentheRouterBoots
Recipe6.4.SynchronizingTimePeriodically
Recipe6.5.AuthenticatingNTP
Recipe6.6.CheckingNTPStatus
Chapter7.RouterInterfaces
Introduction
Recipe7.1.ViewingInterfaceStatus
Recipe7.2.ViewingTrafficStatisticsonanInterface
Recipe7.3.SettinganIPAddressfortheRouter
Recipe7.4.SettingtheRouter'sSourceAddress
Recipe7.5.ConfiguringanIPv4AddressonanInterface
Recipe7.6.ConfiguringanIPv6AddressonanInterface
Recipe7.7.ConfiguringanISOAddressonanInterface
Recipe7.8.CreatinganMPLSProtocolFamilyonaLogicalInterface
Recipe7.9.ConfiguringanInterfaceDescription
Recipe7.10.ChoosingPrimaryandPreferredInterfaceAddresses
Recipe7.11.UsingtheManagementInterface
Recipe7.12.FindingOutWhatIPAddressesAreUsedontheRouter
Recipe7.13.ConfiguringEthernetInterfaces
Recipe7.14.UsingVRRPonEthernetInterfaces
Recipe7.15.ConnectingtoanEthernetSwitch
Recipe7.16.ConfiguringT1Interfaces
Recipe7.17.PerformingaLoopbackTestonaT1Interface
Recipe7.18.SettingUpaBERTTestonaT1Interface
Recipe7.19.ConfiguringFrameRelayonaT1Interface
Recipe7.20.ConfiguringaSONETInterface
Recipe7.21.UsingAPStoProtectAgainstSONETCircuitFailures
Recipe7.22.ConfiguringanATMInterface
Recipe7.23.DealingwithNonconfigurableInterfaces
Recipe7.24.ConfiguringInterfacesBeforethePICsAreInstalled
Chapter8.IPRouting
Introduction
Recipe8.1.ViewingtheRoutesintheRoutingTable
Recipe8.2.ViewingRoutestoaParticularPrefix
Recipe8.3.ViewingRoutesLearnedfromaSpecificProtocol
Recipe8.4.DisplayingtheRoutesintheForwardingTable
Recipe8.5.CreatingStaticRoutes
Recipe8.6.BlackholingRoutes
Recipe8.7.FilteringTrafficUsingUnicastReverse-PathForwarding
Recipe8.8.AggregatingRoutes
Recipe8.9.Load-BalancingTrafficFlows
Recipe8.10.AddingMartianAddresses
Recipe8.11.ChangingRoutePreferencestoMigratetoAnotherIGP
Recipe8.12.ConfiguringRoutingProtocolstoRestartWithoutLosing
Adjacencies
Chapter9.RoutingPolicyandFirewallFilters
Introduction
Recipe9.1.CreatingaSimpleRoutingPolicy
Recipe9.2.ChangingaRoute'sRoutingInformation
Recipe9.3.FilteringRoutesbyIPAddress
Recipe9.4.FilteringLongPrefixes
Recipe9.5.FilteringUnallocatedPrefixBlocks
Recipe9.6.CreatingaChainofRoutingPolicies
Recipe9.7.MakingSureaRoutingPolicyIsFunctioningProperly
Recipe9.8.CreatingaSimpleFirewallFilterthatMatchesPacketContents
Recipe9.9.CreatingaFirewallFilterthatNegatesaMatch
Recipe9.10.ReorderingFirewallTerms
Recipe9.11.FilteringTrafficTransitingtheRouter
Recipe9.12.UsingaFirewallFiltertoCountTrafficonanInterface
Recipe9.13.LoggingtheTrafficonanInterface
Recipe9.14.LimitingTrafficonanInterface
Recipe9.15.ProtectingtheLocalRoutingEngine
Recipe9.16.Rate-LimitingTrafficFlowtotheRoutingEngine
Recipe9.17.UsingCounterstoDetermineWhetheraRouterIsUnderAttack
Chapter10.RIP
Introduction
Recipe10.1.ConfiguringRIP
Recipe10.2.HavingRIPAdvertiseItsRoutes
Recipe10.3.ConfiguringRIPforIPv6
Recipe10.4.EnablingRIPAuthentication
Recipe10.5.RoutingRIPTrafficoverFasterInterfaces
Recipe10.6.SendingVersion1UpdateMessages
Recipe10.7.TracingRIPProtocolTraffic
Chapter11.IS-IS
Introduction
Recipe11.1.ConfiguringIS-IS
Recipe11.2.ViewingtheIS-ISLink-StateDatabase
Recipe11.3.ViewingRoutesLearnedbyIS-IS
Recipe11.4.ConfiguringIS-ISforIPv6
Recipe11.5.ConfiguringaLevel1OnlyRouter
Recipe11.6.ControllingDISElection
Recipe11.7.EnablingIS-ISAuthentication
Recipe11.8.RedistributingStaticRoutesintoIS-IS
Recipe11.9.LeakingIS-ISLevel2RoutesintoLevel1
Recipe11.10.AdjustingIS-ISLinkCosts
Recipe11.11.ImprovingIS-ISConvergenceTimes
Recipe11.12.MovingIS-ISTrafficoffaRouter
Recipe11.13.DisablingIS-ISonanInterface
Recipe11.14.TracingIS-ISProtocolTraffic
Chapter12.OSPF
Introduction
Recipe12.1.ConfiguringOSPF
Recipe12.2.ViewingRoutesLearnedbyOSPF
Recipe12.3.ViewingtheOSPFLink-StateDatabase
Recipe12.4.ConfiguringOSPFforIPv6
Recipe12.5.ConfiguringaMultiareaOSPFNetwork
Recipe12.6.SettingUpStubAreas
Recipe12.7.CreatingaNot-So-StubbyArea
Recipe12.8.SummarizingRoutesinOSPF
Recipe12.9.EnablingOSPFAuthentication
Recipe12.10.RedistributingStaticRoutesintoOSPF
Recipe12.11.AdjustingOSPFLinkCosts
Recipe12.12.ImprovingOSPFConvergenceTimes
Recipe12.13.MovingOSPFTrafficoffaRouter
Recipe12.14.DisablingOSPFonanInterface
Recipe12.15.TracingOSPFProtocolTraffic
Chapter13.BGP
Introduction
Recipe13.1.ConfiguringaBGPSessionBetweenRoutersinTwoASs
Recipe13.2.ConfiguringBGPonRoutersWithinanAS
Recipe13.3.DiagnosingTCPSessionProblems
Recipe13.4.AdjustingtheNext-HopAttribute
Recipe13.5.AdjustingLocalPreferenceValues
Recipe13.6.RemovingPrivateASNumbersfromtheASPath
Recipe13.7.PrependingASNumberstotheASPath
Recipe13.8.FilteringBGPRoutesBasedonASPaths
Recipe13.9.RestrictingtheNumberofRoutesAdvertisedtoaBGPPeer
Recipe13.10.AuthenticatingBGPPeers
Recipe13.11.SettingUpRouteReflectors
Recipe13.12.MitigatingRouteInstabilitieswithRouteFlapDamping
Recipe13.13.AddingaBGPCommunitytoRoutes
Recipe13.14.Load-BalancingBGPTraffic
Recipe13.15.TracingBGPProtocolTraffic
Chapter14.MPLS
Introduction
Recipe14.1.ConfiguringLSPsUsingLDPastheSignalingProtocol
Recipe14.2.ViewingInformationandLDP-SignaledLSPsintheRoutingTables
Recipe14.3.VerifyingthatanLDP-SignaledLSPIsCarryingTraffic
Recipe14.4.EnablingLDPAuthentication
Recipe14.5.TracingLDPOperations
Recipe14.6.SettingUpRSVP-SignaledLSPs
Recipe14.7.ViewingInformationAboutRSVP-SignaledLSPsintheRouting
Tables
Recipe14.8.VerifyingPacketLabels
Recipe14.9.VerifyingthattheRSVP-SignaledLSPIsCarryingTraffic
Recipe14.10.ConfiguringRSVPAuthentication
Recipe14.11.ProtectinganLSP'sPath
Recipe14.12.UsingFastReroutetoReducePacketLossFollowingaLink
Failure
Recipe14.13.AutomaticallyAllocatingBandwidth
Recipe14.14.PrioritizingLSPs
Recipe14.15.AllowingIGPTraffictoUseanLSP
Recipe14.16.InstallingLSPsintotheUnicastRoutingTable
Recipe14.17.TracingRSVPOperations
Chapter15.VPNs
Introduction
Recipe15.1.SettingUpaSimpleLayer3VPN
Recipe15.2.ViewingtheVPNRoutingTables
Recipe15.3.AddingaVPNforaSecondCustomer
Chapter16.IPMulticast
Introduction
Recipe16.1.ConfiguringPIM-SM
Recipe16.2.ManuallyEstablishingaPIM-SMRP
Recipe16.3.UsingAuto-RPtoDynamicallyMapRPs
Recipe16.4.SettingUpaPIM-SMBootstrapRouter
Recipe16.5.FilteringPIM-SMBootstrapMessages
Recipe16.6.ConfiguringMultipleRPsinaPIM-SMDomainwithAnycastRP
Recipe16.7.ConfiguringMultipleRPsinaPIM-SMDomainAnycastPIM
Recipe16.8.LimitingtheGroupRangesanRPServices
Recipe16.9.ViewingMulticastRoutes
Recipe16.10.CheckingtheGroupsforWhichaPIM-SMRouterMaintainsJoin
State
Recipe16.11.ManuallyConfiguringIGMP
Recipe16.12.UsingSSM
Recipe16.13.ConnectingPIM-SMDomainsUsingMSDPandMBGP
Recipe16.14.ConfiguringPIM-DM
Recipe16.15.TracingPIMPackets
AbouttheAuthor
Colophon
Index
Copyright©2006O'ReillyMedia,Inc.Allrightsreserved.
PrintedintheUnitedStatesofAmerica.
PublishedbyO'ReillyMedia,Inc.,1005GravensteinHighway
North,Sebastopol,CA95472.
O'Reillybooksmaybepurchasedforeducational,business,or
salespromotionaluse.Onlineeditionsarealsoavailablefor
mosttitles(safari.oreilly.com).Formoreinformation,contact
ourcorporate/institutionalsalesdepartment:(800)998-9938or
Editor:
MikeLoukides
Cover
Designer:
KarenMontgomery
Production
Editor:
LaurelR.T.
Ruma
Interior
Designer:
DavidFutato
Copyeditor:
LaurelR.T.
Ruma
Cover
Illustrator:
RiversideNaturalHistory
Proofreader:
Matt
Hutchinson
Illustrators:
RobertRomano,JessamynRead,and
LesleyBorash
Indexer:
LucieHaskins
Printing
History:
April2006:
FirstEdition.
NutshellHandbook,theNutshellHandbooklogo,andthe
O'ReillylogoareregisteredtrademarksofO'ReillyMedia,Inc.
TheJUNOSCookbook,theimageofanangoragoat,andrelated
tradedressaretrademarksofO'ReillyMedia,Inc.
Manyofthedesignationsusedbymanufacturersandsellersto
distinguishtheirproductsareclaimedastrademarks.Where
thosedesignationsappearinthisbook,andO'ReillyMedia,Inc.
wasawareofatrademarkclaim,thedesignationshavebeen
printedincapsorinitialcaps.
Whileeveryprecautionhasbeentakeninthepreparationofthis
book,thepublisherandauthorassumenoresponsibilityfor
errorsoromissions,orfordamagesresultingfromtheuseof
theinformationcontainedherein.
ISBN:0-596-10014-0
[M]
Foreword
TheearlydaysatJuniperNetworkswerenotforthefaintof
heart.Joiningduringthehiringrushofearly1997,Ifoundthat
thecubesandofficesofthesmallofficeinSantaClara,
Californiawerealreadypackedwithexperiencedold
handspeoplewhomIknewhadbeenaroundtheblockonce
beforeandwouldnotbeshyofexpressingthemselves.
Everyonehadstrongviewsonnearlyeveryaspectofbuildinga
routerfromscratch.Ifyouhadthemisfortunetositnexttoa
busyconferenceroom,agoodpairofheadphonesandlargeCD
collectionwererequiredtodrownoutthearguments.Design
meetingsoftenbecameheated,andegoswereoccasionally
bruised.Ourfriendsfrompreviousemployerstaunteduswith
predictionsofdoom.
Despitethearguments,wewereallunitedanddrivenbyone
solitarygoal:towinthecompetitiontobuildthebestInternet
corerouteravailable.Thiswasaseriouschallenge,considering
theprimarycompetitionwasa300-poundgorillaintheformof
CiscoSystems.BeatingCiscowouldrequireustoproducea
routerthattackledtheperceivedweaknessesinitscorerouter
platform.AJuniperNetworkscorerouterwouldhavetoprovide
line-rateperformance(which,fortheM40routermeant
forwardingaround40millionpacketspersecond),robustcore
routingprotocols,andstablecontrolsoftware.Inshort,ithad
tomakecustomersreallywanttouseit.
Theperformancerequirementsmeantthatthenetworktraffic
hadtobeforwardedentirelyinhardware.Thiswassomething
thathadneverbeforebeenattemptedforacorenetwork
router.Asaresult,thehardwaredesignoftheM40lookedlike
sciencefictiontoJuniperrecruitswhohadworkedonother
networkingproducts.Theentireforwardingpathoftherouter
wasconstructedfromfourApplicationSpecificIntegrated
Circuits(ASICs),designedentirelybyJuniper.ThesefourASICs
(calledA,B,C,andDtopreventlooselipsfromrevealingtheir
function)werehuge,intricate,andenormouslyambitious.A
largedesignteamofexperiencedengineerswasassembledto
implementtheASICsandpartneredwithanotherlarge
verificationteamtocheckthatthedesignswerefunctionally
correct.SinceSiliconValleywaslitteredwithnetworking
startupsthathadfailedbecauseofsilicondesignproblems,
therewasenormouspressureontheASICteamstogetitright
firsttime.WeallknewthatafailedASICwouldprobablysink
thecompany.
Notthattherewasanylesspressureonthesoftwareteams.
Convincingcustomerstodeployabrandnewandessentially
untriedcorerouterintotheveryheartoftheirnetworksisan
enormoustask.Anewrouterthatcrashes,forwardspackets
erratically,orjustbasicallybehavesweirdlywon'tmakeany
friendsinthenetworkoperationsteamandwillfinditself
unceremoniouslyremovedfromthenetwork.Theproblemis
thatdesigningandimplementingacorerouterthatworks
completelyreliablyisafeatthathasdefeatedmanycompanies.
Andthosewere"simple"routerswherethepacketshadbeen
forwardedbysoftware.Incontrast,notonlydidtheJuniper
routerrequirerobustroutingprotocolsthatcouldscaletothe
largestnetworks,butitalsohadtohavearobustsoftware
infrastructureontheCPU-basedcontrolboardsthatmanaged
thefiendishlycomplicatedpacket-forwardingASICs.Justlike
theASICteam,thesoftwareteamhadtogetitrightthefirst
time.
TheJUNOSteamstartedfromabasicFreeBSDsoftwarebase
andreworkedmuchofthenetworksoftwareinthekernel.New
userdaemonswerewritten,andacarrier-graderouting
protocolsuitewasimplemented.Theroutingprotocolshadto
bedesignedtoscaletothelargestnetworksandberobust
enoughtowithstandwildfluctuationsinthenetworksaround
them,somethingthatthecompetingroutersoftenstruggled
with.Thankfully,Juniperhadadeepwellofroutingprotocol
talentavailablethatcouldpoolitscumulativeknowledgeto
designhigh-qualityroutingprotocolimplementations.Potential
customersstillhadtobeconvincedthatthenewprotocol
implementationswouldinteroperatesafelywithintheirexisting
networks.Toallowearlyevaluation,afledglingJUNOSsystem
appearedintheformofOlive,whichwasastandardrackmount
PCpretendingtobeaJUNOSroutingengineboard.This
prototypesystemwasdeliveredtopotentialcustomerstogive
themafeelforthecurrentstateofthesystemandtoallowthe
routingprotocolstobedebugged.
JuniperhadoutgrowntheofficesitoccupiedinSantaClaraand
movedtoMountainView,justoffofHighway237.Wedidn't
trustthemoverstoshifttheserversbetweensitesanddecided
tomoveallthesystemsourselves.Atonepoint,werealized
thatallofJuniper'sprimarysoftwareserverswereloadedinto
justonecar;paranoiadictatedthatwesplitthembetweentwo
carsjustincasesomethinghappenedontheshortdrivetothe
newoffice.Wedrovegingerlytothenewsiteoncetherush
hourhadfinishedandbreathedahugesighofreliefwhenall
theserverspoweredupagain.Wealsogotasurprisebonus
whenwearrivedatthenewsite.Thepreviousoccupantsofour
newofficeblockhadleftahugerat'snestofnetworkcablesin
theirolddatacenter;they'dobviouslydecidedthatitwasjust
toomuchworktountangleit.However,sincemoneywastight,
werefusedtothrowthehugebundleofcablesoutandspent
thenextcoupleofweeksteasingCAT5cablesoutofthejumble
duringquietmoments.Therewereenoughcablesfromthe
bundletoletuscompletelyrewirethefirstsoftwareengineering
labforfree.
Throughout1997andearly1998,alltheJuniperengineering
teamsworkedprettymuchflat-outtofinishtheM40.The
engineeringlabswereseldomquiet,anditwashardtotellthe
weekendsfromtheweekdaysbycountingcarsintheparking
lot.Thesoftwareteamsdesignedandimplementedatruly
astonishingamountofcodeinaveryshortperiodoftime.
FreeBSDkernelextensionswereaddedtoprovidesupportfor
chassismanagementandnewJunipernetworkinterfaces.A
cleanuserinterfacewasdesignedandimplementedtoprovide
aseamlessinterfacetothesystemandpreventusersfrom
havingtoeditrawconfigurationfilesbyhand.Anentire
embeddedmicrokernelwaswrittentomanagethepacketforwardingengineboardsinthesystem(afully-loadedM40
wouldhaveninePFE-relatedboards),whichwouldallowusers
toexchangeconfigurationandstatusmessageswiththerouting
engineandeachother.Driversfortheembeddedmicrokernel
werewrittentomanagetheASICsandtoallowtheroute
enginetoconfigurethePFE.Thesizeandcomplexityofthe
softwarerequiredtomanagejustthevariouscontrolboards
eventuallygrewtorivaltherouteengineitself.
Therealheadacheforthesoftwareteamwasthatthehardware
wasn'tavailabletotestwith.Itcantakemanymonthsaftera
systemisassembledintheengineeringlabtogetittoausable
stateasacompletesystem.ButJunipercouldn'taffordforusto
spendsixmonthsinthelab;therejustwasn'tenoughmoneyor
time.Thesolutionwastogetextremelycreativewithtest
equipment,evaluationboards,andgenericPCsbeforethefinal
hardwarewasavailable.Allsortsofemulationenvironments
weredevelopedtoallowthenewroutingengineandembedded
softwaretobedebuggedaheadoftheactualhardware.For
months,weusedamotleycollectionofmachinescobbled
togetherfrompartsandequipmentthatemulatedthefinal
hardware.Wedidn'treallyhavetodisguisethelabforexternal
visitorstheywouldn'thavebeenabletoguessthateachratty
bundleofmachineswasavirtualM40.
Thepaybackfromthisapproachwasenormous.Whenthe
hardwarefinallyarrived,ittookjustoneweekinthe
engineeringlabforthefirstnetworkpacketstobeforwarded
successfully!Consideringthecomplexityoftheroutingengine
andPFEinteraction,thiswasamonumentalachievementand
meantthatwecouldquicklyverifythatthehardwareworked
beforeshippingthesystemstoourearlytestcustomersin
Septemberof1998.
DesigningandimplementingthefirstreleaseoftheJUNOS
softwarewasanunforgettabletime.Althoughthereadermay
thinkI'veconcentratedwaytoomuchonthehardware,the
JUNOSsoftwareisintrinsicallythewayitisbecauseofthe
hardware.Thatithasgonethroughsomanyiterationssince
then,andcontinuestoevolvewiththeadvancementofJuniper
routers,isthefirstitemyoushouldlearninthisbook.
Thesecondthingthatyoushouldknowisthatalthoughcreating
theJUNOSsoftwarereallywasateameffort,AvivaGarretthad
thedubioustaskofdocumentingourefforts.Infact,shewrote
thefirstmanual.Andthen,asthemanagerofJuniperNetworks
technicalpublications,sheledtheeffortfromVersion1.0until
veryrecently,somewhereafter7.x.Nowshehascomeback
andworkedonthismarvelousbookforanentireyear,revisiting
everythingweoncedidandeverythingthathasevolvedsince
thoseearlydays.JUNOSCookbookrepresentsafullcirclefor
theJUNOSsoftwaresuitesomehow,loopingfromthoseearly,
middayconferenceroommarathonstotoday'sabilitytoroutea
largeportionoftheworld'snetworktraffic.Avivaandherteam
ofreviewersandtechnicalexpertshavebrokenitalldowninto
bite-sizerecipesanddiscussionsthatmaketoday'scomplex
arrayoffeaturesseemlikethatsimple,eruditeversionwe
createdbackin1998.Enjoyit,andcheers.
ScottMackie
FormerDistinguishedEngineer,JuniperNetworksFebruary
2006
Preface
Overthepastdecade,networkserviceprovidershavebeen
addinghigh-performanceJuniperNetworksrouterstotheir
networkstoruntheirIPbackbones.Withtherecent
introductionofsmallerrouterswiththesamebasicfunctionality
asthelargercorerouters,morepeoplewillbeusingJuniper
Networksroutersintheirbusinessnetworksandwillneedto
learnhowtoconfigureandruntheJUNOSsoftwarethatrunson
theirrouters.JUNOSCookbookexplainsthedesignofthe
JUNOSsoftwareandprovidesrecipesandguidelinesforsetting
upcommonfeaturesthatyouneedtoconfigureandsecure
yourJuniperNetworksrouter.
ForthoseofyouwhoarefamiliarwithCiscoIOSorother
routers,youwillfindtheJUNOSsoftwareandthedesignofthe
routerhardwaresimilartotheotherroutersinsomeways,but
verydifferentinmanyways.TheinitialdesignoftheJUNOS
softwarebeganin1996,whentheTCP/IPprotocolsuitewas
alreadymatureanditwasclearthatthisprotocolsuitewasthe
onlyoneneededfornetworkdevicestorunontheInternet.
ThoseinvolvedindevelopingtheoriginalJUNOSsoftwareand
routerhardwareallhadpreviousexperiencedesigningsimilar
productsandwereintentonbuildingsomethingbetter.Someof
theJUNOSfeaturesthatimprovetherouteroperationinclude:
Softwaremodularity
TheJUNOSsoftwarecomprisesseveraldozenprocesses,or
daemons,ratherthanasingleprocess,soyoucanstopa
singleprocessandrestartitwithouthavingtorebootthe
entirerouter.
Separationofforwardingandrouting
Theactualforwardingofpacketsisperformedbycustom
high-speedApplication-SpecificIntegratedCircuits(ASICs),
whileroutingisperformedbyaCPUinasmallPCthatis
builtintotherouter.Thisseparationoftheroutingand
forwardingfunctionsimprovesrouterperformance.
Powerfulconfigurationeditorandbatchconfigurationactivation
TheJUNOSconfigurationeditorsupportscommand
completionandtextfilesandallowsyoutoreturnto
previousconfigurations.ActivatingJUNOSconfigurationsis
abatchprocess,andinterdependentconfiguration
segmentstakeeffectatthesametime.
Harddiskintherouter
Havingabuilt-inharddiskprovidesstorageontherouter
forsoftwareimagesneededforsoftwareupgrades,core
dumps,andJUNOSdocumentation,whichisaccessedwith
onlinehelp.
ThefirstversionofJUNOSsoftware,releasedin1998withthe
firstrouter,theM40router,focusedonfeaturesforlargecapacityInternetserviceprovider(ISP)andtelephonecompany
(telco)networks.Likeanynetworkoperatingsystem,additions
areregularlybeingmadetothesoftwaretoincorporatenew
technologies,protocols,andfeaturesets.TheJUNOSsoftware
isupdatedfourtimesperyear.JUNOSCookbookwaswrittenfor
Release7.4,whichshippedattheendof2005.Youwillfind,
however,thatmostoftherecipesinthisbookalsoworkon
earliersoftwarereleases,andtheyshouldcontinuetoworkon
futurereleases.AllrecipesinthisbookweredevelopedonM7i
orJ2300routers.And,exceptwherenoted,theyshouldrunon
anyJuniperNetworksJ-series,M-series,andT-seriesrouting
platform.IhaveindicatedwhenIusefeaturesthatareavailable
onlywithcertainsoftwarereleasesorhardware.
GiventhediversityandcomplexityoftheJUNOSsoftware,this
bookcannotcovertheentireoperatingsystem.Instead,JUNOS
Cookbookconsistsofacollectionofsamplerouter
configurationsfortheproperinstallation,configuration,and
optimizationofyourJuniperNetworksroutersandisfocusedon
helpingyousetupthecommoncomponentsofyourrouter:the
networkinterfacesandtheroutingprotocolsthemselves.
JUNOSCookbookisnotintendedtoreplacethedetailedfeature
informationavailableontheJuniperNetworkswebsite
().Thisbookdoesn'thavethespaceto
providedetailsabouthowparticularprotocolsactuallywork,
andyoucanfindthisinformationintheInternetEngineering
TaskForce(IETF)RequestforComment(RFC)andInternet
draftdocuments(),aswellasinawide
varietyofbooks.
Iwelcomefeedbackfromreaders.Ifyouhavecomments,
suggestions,orideasforotherrecipes,pleaseletmeknow.If
therearefutureeditionsoftheJUNOSCookbook,Iwillinclude
anysuggestionsthatIthinkareespeciallyuseful.Youcanreach
meat
Organization
Asthenamesuggests,JUNOSCookbookisorganizedasa
seriesofrecipes.Eachrecipebeginswithaproblemstatement
thatdescribesacommonsituationyoumightface.Aftereach
problemstatementisabriefsolutionthatshowsasample
routerconfigurationorscriptthatyoucanusetoresolvethat
particularproblem.Adiscussionsectionthendescribesthe
solution,howitworks,andwhenyoushouldorshouldnotuse
it.
Ihavetriedtoconstructtherecipessothatyoucanturn
directlytotheonethataddressesyourspecificproblemandfind
ausefulsolutionwithoutneedingtoreadtheentirebook.Ifthe
solutionincludestermsorconceptsyouarenotfamiliarwith,
thechapterintroductionsshouldhelpbridgethegap.Many
recipesrefertootherrecipesorchaptersthatdiscussrelated
topics.Ihavealsoincludedavarietyofreferencestoother
sourcesincaseyouneedmorebackgroundinformationona
particularsubject.
Thechaptersareorganizedbythefeatureorprotocol
discussed.Ifyouarelookingforinformationonaparticular
featuresuchasBGP,MPLS,orSNMP,youcanturntothat
chapterandfindavarietyofrelatedrecipes.Mostchapterslist
basicproblemsfirstandanyunusualorcomplicatedsituations
last.Buttherearesomeexceptionstothis,suchaswhereI
haveinsteadgroupedrelatedrecipestogether.
What'sinThisBook
Thefirstchapterscoveressentialsystemadministration
functionsoftherouter:
Chapter1,RouterConfigurationandFileManagement
Coversrouterconfigurationandfilemanagementissues
Chapter2,BasicRouterSecurityandAccessControl
Focusesonroutersecurity,describinguseraccessand
privilegesontherouterandhowtoprotectyourrouterfrom
undesiredaccess
Chapter3,IPSec
DescribeshowtouseIPSectoencryptandsecuretraffic
Thenextthreechaptersfocusonmanagingtherouter:
Chapter4,SNMP
DiscusseshowtousetheInternetstandardSNMPprotocol
toremotelymanageyourrouter
Chapter5,Logging
Explainshowtologeventsthatoccurontheroutersoyou
cantracethecausesofrouterandnetworkmalfunctions
Chapter6,NTP
Explainshowtoproperlysetthetimeonyourrouter,both
manuallyandusingNTP,tosynchronizetimeacrossall
networkdevices
Chapter7,RouterInterfaces
Discussesrouterinterfacesandhowtoconfigureinterface
properties,includingthephysicaldeviceitselfaswellasall
networkaddressesassociatedwithaninterface,including
IPv4,IPv6,andISOaddresses
ThenextsixchapterscovervariousaspectsofIProuting:
Chapter8,IPRouting
LooksatIProutingingeneral,includingroutingtables,
routepreferences,andselectingactiveroutes
Chapter9,RoutingPolicyandFirewallFilters
Discussesroutingpolicy,whichcontroltheroutesthatare
storedinandadvertisedfromtheroutingtables.This
chapteralsocoversfirewallfilters,whichareappliedto
trafficenteringandexitingrouterinterfaces
Chapter10,RIP
LooksatRIP,includingbothVersions1and2andRIPng
Chapter11,IS-IS
LooksatIS-IS
Chapter12,OSPF
DiscussesOSPF
Chapter13,BGP
DiscussestheBGPprotocol,whichcontrolsallIProuting
throughthebackboneoftheInternet
Theremainingchaptersallcoverseparatetopics:
Chapter14,MPLS
DiscussesMPLS,whichiscommonlyusedalongwithRSVP
fortrafficengineering
Chapter15,VPNs
CoversBGP-MPLS(Layer3)VPNs,whichareanapplication
ofBGPandMPLSthatprovidesprivatevirtualnetworks
Chapter16,IPMulticast
CoverstheIPmulticastprotocols
Conventions
Thefollowingformattingconventionsareusedthroughoutthis
book:
Italic
Usedforcommands,filenames,directories,scriptvariables,
keywords,emphasis,technicalterms,andInternetdomain
names
Constantwidth
Usedforcodesections,interfacenames,andIPaddresses
Constantwidthitalic
Usedforreplaceabletext
Constantwidthbold
Usedforuserinputandemphasiswithincode
Constantwidthbolditalic
Usedtohighlightreplaceableitemswithincode
CommentsandQuestions
Pleaseaddresscommentsandquestionsaboutthisbooktothe
publisher:
O'ReillyMedia,Inc.
1005GravensteinHighwayNorth
Sebastopol,CA95472
(800)998-9938(intheUnitedStatesorCanada)
(707)829-0515(international/local)
(707)829-0104(fax)
Thereisawebpageforthisbook,whichlistserrata,examples,
oranyadditionalinformation.Youcanaccessthispageat:
/>Tocommentorasktechnicalquestionsaboutthisbook,send
emailto: