Session 3

53 %
47 %
Information about Session 3
Technology

Published on March 11, 2014

Author: ahmedelmeghiny

Source: slideshare.net

Description

Juniper
JNCIA-Junos - 3
ahmed.nosehy@gmail.com

JNCIA - JUNOS Eng. Ahmed Nosehy

Firewall filters

Firewall filter overview (1/2) • In Cisco; * you configures access lists by numbers or names. * numbers dictate the type of access-list (standard or extended) * you can configure the access list either in-bound or out- bound • In Juniper; * access list named by firewall filter * can be configured as Cisco either in-bound or out-bound * firewall filters are being configured under <edit firewall family inet>

Firewall filter overview (2/2)

Firewall filter terms(1/10) • Remember that in Cisco, the match and action are being in the same line • Whereas in Junos, the match is separated under TERM

Firewall filter terms(2/10) • There is an implicit deny at the end of access list in both Cisco and Junos • The deny action in JUNOS is either DISCARD or REJECT

Firewall filter terms(3/10) • Example to block all ipv4 traffic for subnet 192.168.0.0/24

Firewall filter terms(4/10) • JUNOS offer great flexibility in access list, we can re-write the previous filter as follow; • The only difference between this example and the previous one is that , here packet will be discarded(silently with no error) not rejected.

Firewall filter terms(5/10) • We can add and modify an existed access list; • We can also add describtion using annotate command

Firewall filter terms(6/10)

Firewall filter terms(7/10) • Moreover a prefix list can be used in the source addresses,

Firewall filter terms(8/10) • Question, make an access list with a prefix list as match condition • Prefix list should at least containing three prefixes • The Filter will allow the prefixes only • Answer:

Firewall filter terms(9/10)

Firewall filter terms(10/10) • Junos can support not continues prefixes,

Firewall filter Performance (1/2)

Firewall filter Performance (2/2)

Firewall filter change (1/5) • In CISCO if you want to insert a line, you will remove the whole access list then re-write it again • Engineers most likely using a text file to optimize their work and that may cause problems, the access list are being applied in order(what if you allowed undesired traffic or vise versa) • JUNOS offers great flexibility in changing an access list

Firewall filter change (2/5) • An example of changing an access list. Adding additional web server

Firewall filter change (3/5) • Remember ;

Firewall filter change (4/5) • The Junos equvlant filter;

Firewall filter change (5/5) • Only one set command; • Mission accomplished,

Applying Firewall filter (1/2) • You can apply the access list direction(inbound or outbound) under the interface configuration;

Applying Firewall filter (2/2)

Routing protocols

overview

Routing Table(1/3) • JUNOS is using inet.0 as the global routing table • JUNOS is using _juniper_private1_.inet.0 for management traffic • If you created another routng instance it will show like <vrf name> inet.0

Routing Table(2/3) • Connected and locals routes;

Routing Table(3/3)

Troubleshooting routing problems(1/2)

Troubleshooting routing problems(2/2)

policy based routing(1/4) • Before the troubleshooting, we should understand the concept of PBR. • PBR is a technique used to make routing decisions based on policies set by the network administrator. • When a router receives a packet it normally decides where to forward it based on the destination address in the packet, • However, in some cases, there may be a need to forward the packet based on other criteria. For example, a network administrator might want to forward a packet based on the source address, not the destination address • Here comes the benefit of the PBR.

policy based routing(2/4) • Example of using PBR, lets assume that the traffic will go to the internet through e0/0. it’s required to force it to go through the firewall filter.

policy based routing(3/4) • Here is the solution; access-list 111 permit ip 10.0.0.0 0.255.255.255 any ! route-map net-10 permit 10 match ip address 111 set interface Ethernet0/1 ! route-map net-10 permit 20 interface Ethernet3/0 ip address 172.16.79.3 255.255.255.0 ip policy route-map net-10

policy based routing(4/4) • Here is the solution in Junos; set access-list extended 10 src-ip 10.0.0.0/24 entry 1 set match-group name ahmed set match-group ahmed ext-acl 10 match-entry 1 set action-group name ABC set action-group nosehy next-hop 172.16.39.2/14 action-entry 1 set pbr policy name pbr_policy set pbr policy pbr_policy match-group ahmed action-group ABC 1 exit set interfaces e-3/0 pbr pbr_policy

OSPF routing protocol

Configuring OSPF(1/1)

Configuring OSPF(2/2) • Remember, you can navigate down to area or interface configuration level. [edit protocols ospf] lab@router # edit area 0.0.0.2 [edit protocols ospf area 0.0.0.2] lab@router # edit interfaces [edit protocols ospf area 0.0.0.2 interfaces] lab@router # set fe-0/0/0.0

Area types • Junos also support different types of OSPF as Cisco do (stub , so stubby , not so stubby area). You can configure it using;

Injecting routes to OSPF(1/2)

Injecting routes to OSPF(2/2) • An example;

Area Authentication(1/2)

Area Authentication(2/2) • When we show the configuration

Monitoring OSPF(1/4) • Many commands used by Cisco will be used By Junos after removing the IP parameter. show ospf database show ospf interface show ospf interface <interface_name> extensive show ospf neighbor show route protocol ospf >>>>>> show ip route ospf

Monitoring OSPF(2/4)

Monitoring OSPF(3/4)

Monitoring OSPF(4/4)

BGP

BGP differences

Configuring BGP • Before the start of configuring the BGP parameters you must dictate AS number. [edit routing-options] lab@router # set autonomous-system 64532 [edit routing-options] lab@router # top [edit routing-options] lab@router # edit protocols bgp

Defining BGP peers(1/4)

Defining BGP peers(2/4) • Here is an example of configuring two BGP sessions to two neighbors from the same AS; • Note my AS is 64532

Defining BGP peers(3/4) • Here is an example of configuring two BGP sessions to two neighbors from two different ASs;

Defining BGP peers(4/4) • When combining the previous two examples

Sending BGP routes(1/2)

Sending BGP routes(2/2)

Writing policies(1/8)

Writing policies(2/8)

Writing policies(3/8)

Writing policies(4/8)

Writing policies(5/8) • Defining simple export policy;

Writing policies(6/8) • Defining a policy to set the local preference to 110 and two policies to filter routes from two peers;

Writing policies(7/8) • How to apply a policy to set the local preference to 110 and two policies to filter routes from two peers;

Writing policies(8/8) • We can use a prefix list to simplify the operation of the policy. • You can see, the same prefix list used in a policy to accept the prefixes and in another one to reject them;

Monitoring BGP(1/4) • Many commands used by Cisco will be used By Junos after removing the IP parameter. *show bgp summary *show bgp neighbor *show route receive-protocol bgp <neighbor ip address> In cisco : show ip bgp neighbors <neighbor ip address> revieved-routes *show route advertising-protocol bgp <neighbor ip address> In cisco : show ip bgp neighbors <neighbor ip address> advertised-routes

Monitoring BGP(2/4)

Monitoring BGP(3/4)

Monitoring BGP(4/4)

glossary

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Musikinstrumente bei session

Musikinstrumente wie Gitarren, Pianos, Keyboards, Synthesizer, Drums, Saxophone, PA-, Recording- und DJ-Equipment versandkostenfrei im session Onlineshop ...
Read more

DJ - session.de

3-Jahre-session-Garantie; Mein Konto; Warenkorb; Dein Warenkorb ist noch leer. ... info@session.de ; Vertrauen. Partner. Zahlungsarten. Infos ...
Read more

Ibiza Dance Session 3 - Microsoft Store

Ich stimme zu, dass diese Seite Cookies für Analysen, personalisierte Inhalte und Werbung verwendet.
Read more

BBC Learning English - Course: lower intermediate / Unit 1 ...

Session 3 Be a journalist. Language in Action: Practise question forms by preparing to interview Keith Wallace, a BBC travel journalist. You'll write some ...
Read more

2007 Showcase Session 3 - Microsoft Store

Ich stimme zu, dass diese Seite Cookies für Analysen, personalisierte Inhalte und Werbung verwendet.
Read more

Session 3, Part 1 of 2: "Mr Wilson" A facial and blackhead ...

This sweet, soft- spoken gentleman returns for the third time. He has rhinophyma with thickening of the skin of his nose, and numerous large ...
Read more

Session 3 - Washington University in St. Louis

Text: As discussed in Session 2, Ziegler and Natta discovered that metal-based catalysts, particularly titanium/aluminum systems, would catalyze the ...
Read more

SessionM

SessionM integrates loyalty marketing technology with marketing automation and data management capabilities to drive personalized consumer relationships ...
Read more

BBC Learning English - Course: intermediate / Unit 5 ...

Session 3. Do you like change? In English at Work we'll hear about a new idea to move people around in the offices of Tip Top Trading. But will everyone ...
Read more

Session 3: Overview - Centers for Disease Control and ...

National Diabetes Prevention Program 1 Session 3: Three Ways to Eat Less Fat and Fewer Calories Session 3: Overview Weighing and Measuring Food
Read more