JUNOS 101更新: Juniper JUNOS EBooks on iPAD

现在,Juniper JUNOS Day One 系列的全套书籍都可以在iPAD上免费阅读。

For iPads and iPhones, use your device’s iBook app to download directly to your device. Search for “Juniper Networks” in the iBookstore.

The Day One book series are available for FREE download in PDF format using the book links below. Some books also feature a “Copy and Paste” edition for easy copying of Junos configurations.

除此以外,JUNOS 电子书还支持其它终端平台,包括:Kindles, Androids, Blackberry, iPhones/iPads, Macs and PCs. 目前已经出版的Day One 书籍包括:

Junos Fundamentals Series

Junos Automation Series

Junos Dynamic Services Series

Junos Fabric And Switching Technologies Series

Junos Networking Technologies Series

Advertisements

JUNOS 101更新: Day One – 部署MBGP组播VPN

The networking industry has been looking for the best way to offer Multicast VPN services while leveraging the strength and scalability of the existing unicast technology. The result of several year’s effort is Multi-Protocol BGP Multicast VPN, often referred to as MBGP MVPN. This technology has received a warm welcome in the market and is already deployed in many production networks, ranging from Tier-1 service providers to financial and trading companies.

This Week: Deploying MBGP Multicast VPNs assumes the reader has at least some experience with IP/MPLS architectures, including Multi-Protocol BGP and IGPs, but you need not be an expert in Multicast as the basic concepts are revisited in the book.
Whatever you bring to this book will only be amplified by the clear explanations, the explicit samples, and its attention to detail. Step-by-step the author walks you through a technology that can be explored and stood up in a week. Roll up your sleeves. It’s time to get down to work.

Deploying Multicast VPNs

JUNOS 101更新: Day One – 部署MPLS

While there are many books and papers available that cover network architecture, MPLS services, and MPLS cores, none put all these subjects together in a ‘beginning-to-end’ walk-through methodology using myriad configuration examples for Juniper routers, with explanations for each configuration. This Week: Deploying MPLS is a seminar-in-a- book on the process of designing and standing up a MPLS core, as well as provisioning MPLS services such as L3VPN, VPLS, and Layer 2 circuits.

This Week: Deploying MPLS

JUNOS 101更新: Juniper JUNOS – Day One系列(2)

Update some books since I issued JUNOS 101更新: Juniper JUNOS – Day One系列(1) in last year.

JUNOS Fundamentals Series

This Day One series introduces the JUNOS OS to new users, one day at a time. This handy set of booklets starts at the beginning with the practical steps and knowledge to set up and operate any device running JUNOS. The JUNOS Fundamental Series includes:

Exploring the JUNOS CLI

The command-line interface is the software interface to access your Junos device. Learn the essentials about its commands and mechanics, including how to navigate the interface and both the operational and configuration modes. After reading, you will be able to:

  • Understand the hierarchies within each mode.
  • Get onboard help and use keyboard shortcuts to speed up your work.
  • Show device status, alarms, and other helpful information in operational mode.
  • Modify, save, and load configuration files with minimal risk to operations.
  • Use basic configuration mode commands such as show, set, and delete.
  • Capitalize on the safety features of the Junos commit model.
  • Prepare system changes in advance.
  • Use the shortcuts and tips of experienced users and avoid common problems.

Configuring JUNOS Basics

Configure the basic settings of your device and learn more about configuration mode in this booklet. You’ll learn the first steps to configuring a Junos device, whether you are setting up a router, switch, or security platform. After reading, you will be able to:

  • Create a handy checklist of settings to use in configuring the system basics.
  • Create login accounts and permissions.
  • Set up SNMP to work with your existing systems.
  • Monitor your device remotely and configure system logs.
  • Install Web-based management.
  • Make changes faster with configuration shortcuts.
  • Streamline device setup with configuration groups and templates.
  • Compare your resulting configuration to the booklet example.

JUNOS Automation Series

This Day One series helps you to begin using the powerful Junos OS tools for automating the methods and procedures of your network with step-by-step instructions and lots of examples. The Junos Automation Series includes:

Applying JUNOS Operations Automation

Junos automation is a set of tools to automate the operational methods and procedures of a network. Understand how Junos automation tools work, how to write and use op scripts that can optimize Junos commands to your environment, and where to find out more. After reading, you will be able to:

  • Explain where to use the different Junos script types.
  • Use reference scripts from this book and Juniper’s script library.
  • Interpret the XML data structures used by Junos devices.
  • Communicate with Junos through the Junos XML API.
  • Ease how you write XML data structures using the SLAX XML abbreviated format.
  • Read SLAX scripts and understand the operations they perform.
  • Create your own customized operation scripts.

Applying JUNOS Event Automation

Event automation instructs Junos of actions to take in response to system events through event policies and event scripts. Use event automation to speed time-to-resolve, minimize the impact of events and automate time-of-day changes. After reading, you will be able to:

  • Understand the difference between an op script and an event script.
  • Identify potential events that could be automated.
  • Build the needed event policy to match desired events and conditions.
  • Correlate multiple events and determine the proper response to those events based on their relationship to each other.
  • Create your own customized event scripts.

Applying JUNOS Configuration Automation

Configuration automation provides a way to add customized intelligence as part of the commit process used by Junos to validate configuration changes. Commit scripts can control the commit process in multiple ways ranging from simple warning messages to complex configuration changes based on the presence of configuration macros. This booklet shows you how to:

  • Understand the role of and possible uses for commit scripts.
  • Provide feedback as part of the commit process through warning or syslog messages.
  • Halt the commit process with error messages.
  • Alter the configuration through commit scripts.
  • Use configuration macros to simplify your configuration or to store specialized data.
  • Create your own customized commit scripts.

学习笔记: Internet cheat sheets on PacketLife

Stretch@packetlife一直在blog上发布一系列技术Cheat Sheets ── 浓缩式技术笔记,或者是考试前提前准备的小抄。:-D 这些Cheat Sheets涵盖了包括BGP、IS-IS、OSPF、802.11、QoS……甚至Physical Terminations等各方面的内容,每一份都是一到两页纸的PDF文件,是很好的一套个人复习笔记。我个人并没有仔细阅读其中的内容,同时希望对您有所帮助。当然,Stretch所做的远远不止单纯发布学习笔记和Cheat Sheets,相对而言应当说这他的兴趣更为准确。详细的信息请参考Site Transition and Other Stuff.

另外,这些Cheat Sheets的国际版目前也正在寻找志愿协作人员,这里有一个BGP Cheat Sheet的法语版本。目前还没有找到中文简体版本的协作者,Stretch编辑的Cheat Sheets无论从界面,还是实用性上面取决于各人观念差异,相信仍然会吸引很大一部分网络工作人员的眼球。如果您有兴趣,可以联系Stretch,相信他会欢迎您的协助。PS: 考虑到版权原因,请到PacketLife上下载相关的资料,下面是相关资料截图 ──

Protocols – BGP

tn_BGP.pdf

Protocols – IS-IS

tn_IS-IS.pdf

Protocols – OSPF

tn_OSPF.pdf

Protocols – EIGRP / First Hop Redundancy

tn_EIGRP.pdftn_First_Hop_Redundancy.pdf

Protocols – IEEE 802.11 WLAN

tn_IEEE_802.11_WLAN.pdf

Protocols – IEEE 802.1x / IPsec

tn_IEEE_802.1X.pdftn_IPsec.pdf

Protocols – IPv4 Multicast / IPv6

tn_IPv4_Multicast.pdftn_IPv6.pdf

Protocols – Spanning Tree

tn_Spanning_Tree.pdf

Applications – Wireshark Display Filters

tn_Wireshark_Display_Filters.pdf

Reference – tcpdump / IOS IPv4 Access Lists

tn_tcpdump.pdftn_IOS_IPv4_Access_Lists.pdf

Reference – IPv4 Subnetting / Common Ports

tn_IPv4_Subnetting.pdftn_common-ports.pdf

Technologies – QoS

tn_QoS.pdf

Technologies – Frame Mode MPLS / VLANs

tn_Frame_Mode_MPLS.pdftn_VLANs.pdf

Miscellaneous – Cisco IOS Versions / Physical Terminations

tn_Cisco_IOS_Versions.pdftn_physical-terminations.pdf

Miscellaneous – Markdown / MediaWiki

tn_Markdown.pdftn_MediaWiki.pdf

JNCIP: JUNOS OSPF虚链路配置 – Part 3

提升JUNOS OSPF收敛时间: hello/dead-interval vs. bfd

通过之前的实验不难发现,R4与R5之间的链路,包括R3与R4之间的链路,两条骨干网链路是整个实验网络的关键部分。通过预先在非骨干区域内创建虚链路,是一个不错的保持骨干区域连续性的备份方案。在R3与R5之间建立虚链路,更能够同时使在R4/R3/R5之间任一骨干区域链路失效后仍然能保障骨干区域的连续性。除此以外,另一个需要考虑的便是对链路失效检测的延时性能,争取在更短的时间内完成路由收敛。其中,降低OSPF Hello包的发送周期以及邻居失效周期是最常见的方式。我们可以在R3/R4/R5的骨干网接口上进行设置,需要注意的是链路两端的路由器必须设置相同的计时器值,计时器同步是形成OSPF邻接关系的必要前提。我们将三台路由器的所有骨干网接口计时器值减少为默认的50%,注意不要忘记对R3/R5之间的虚链路接口一起设置:

[edit logical-routers]
nigel@itaalab# set r4 protocols ospf area 0 interface
 fxp2.34 hello-interval 5 dead-interval 20 

[edit logical-routers]
nigel@itaalab# set r4 protocols ospf area 0 interface
 fxp1.45 hello-interval 5 dead-interval 20 

[edit logical-routers]
nigel@itaalab# set r3 protocols ospf area 0 interface
 fxp1.34 hello-interval 5 dead-interval 20 

[edit logical-routers]
nigel@itaalab# set r5 protocols ospf area 0 interface
 fxp2.45 hello-interval 5 dead-interval 20 

[edit logical-routers r3 protocols ospf area 0.0.0.0]
nigel@itaalab# set virtual-link neighbor-id 10.0.3.5
 transit-area 3 hello-interval 5 dead-interval 20 

[edit logical-routers r5 protocols ospf area 0.0.0.0]
nigel@itaalab# set virtual-link neighbor-id 10.0.3.3
 transit-area 3 hello-interval 5 dead-interval 20

尽管默认情况下OSPF的dead-interval自动被调节为Hello-interval的4倍,然而还是建议(OK,这只是一个“建议”,如果非要问为什么提出这样的建议同时给予解释的话请无视 ── 你有权决定是否采纳建议,而我同样有权决定是否提供建议 ── 就那么简单的逻辑关系搞不懂怎么就有人偏搞不懂?)同时手动定义两个参数,查看R3的OSPF接口状态,可以看到全部区域0.0.0.0内全部接口的计时器值全部被修改为5/20sec,值得注意的是R3与R5之间的链路只有属于区域0.0.0.0的虚链路被修改为新的计时值,而物理接口仍然属于区域3,因此被保留为默认10/40sec不变:

nigel@itaalab# run show ospf interface
 logical-router r3 detail
Interface   State   Area    DR ID    BDR ID   Nbrs
fxp1.34      BDR    0.0.0.0 10.0.3.4 10.0.3.3    1
  Type: LAN, Address: 10.0.2.5, Mask: 255.255.255.252,
  MTU: 1496, Cost: 1
  DR addr: 10.0.2.6, BDR addr: 10.0.2.5, Adj count: 1,
  Priority: 128
  Hello: 5, Dead: 20, ReXmit: 5, Not Stub
  Auth type: None
lo0.3       DRother 0.0.0.0 0.0.0.0  0.0.0.0     0
  Type: LAN, Address: 10.0.3.3, Mask: 255.255.255.255,
  MTU: 65535, Cost: 0
  Adj count: 0, Priority: 128, , Passive
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: None
vl-10.0.3.5 PtToPt  0.0.0.0 0.0.0.0  0.0.0.0     1
  Type: Virtual, Address: 10.0.2.2, Mask: 0.0.0.0,
  MTU: 0, Cost: 1
  Adj count: 1
  Hello: 5, Dead: 20, ReXmit: 5, Not Stub
  Auth type: MD5, Active key ID: 10, Start time:
 2008 Jan  1 07:00:00 LONT
fxp1.35      BDR    0.0.0.3 10.0.3.5 10.0.3.3    1
  Type: LAN, Address: 10.0.2.2, Mask: 255.255.255.252,
  MTU: 1496, Cost: 1
  DR addr: 10.0.2.1, BDR addr: 10.0.2.2, Adj count: 1,
  Priority: 128
  Hello: 10, Dead: 40, ReXmit: 5, Not Stub
  Auth type: None
fxp2.13      BDR    0.0.0.10 10.0.6.1 10.0.3.3   1
  Type: LAN, Address: 10.0.4.13, Mask: 255.255.255.252,
  MTU: 1496, Cost: 2
  DR addr: 10.0.4.14, BDR addr: 10.0.4.13, Adj count: 1,
  Priority: 128
  Hello: 10, Dead: 40, ReXmit: 5, Stub NSSA
  Auth type: None

尽管缩短Hello周期能在一定程度上提升OSPF的收敛速度,然而,OSPF Hello数据包可设置的最短周期为1秒,那么邻居失效周期最短也只能为4秒钟,对于那些承载着对延时极为敏感的业务的网络而言,这样的失效检测周期依然需要提升效率。JUNOS从6.1版本开始便支持能够更快的,达到微妙级别的双向转发检测,BFD(Bidirectional Forwarding Detection),BFD是一种简单的Hello协议,然而BFD通过基于转发层面对下一跳邻居的监测 ─ 传统的IGP Hello机制是基于控制层面邻居维护,却能够有效的提升那些在传统上不存在硬件失效监测的链路,而只能依赖于IGP的Hello机制作为检测手段,如以太网络,它们对于链路失效检测的性能。同时BFD独立于各种IGP协议,不单纯能够为OSPF,并且能够为ISIS,BGP甚至MPLS提供在二层链路上的保障服务。目前,在JUNOS 8.5版本上面,我们可以测试在逻辑路由器上建立BFD会话。

[edit logical-routers]
nigel@itaalab# show r3 protocols ospf area 0
virtual-link neighbor-id 10.0.3.5 transit-area 0.0.0.3 {
    hello-interval 5;
    dead-interval 20;
    authentication {
        md5 10 key "$9$vMg8xd24Zk.54a39";
 ## SECRET-DATA
    }
}
interface fxp1.34 {
    hello-interval 5;
    dead-interval 20;
    bfd-liveness-detection {
        minimum-interval 500;
    }
}

[edit logical-routers]
nigel@itaalab# show r4 protocols ospf area 0
interface fxp2.34 {
    hello-interval 5;
    dead-interval 20;
    bfd-liveness-detection {
        minimum-interval 500;
    }
}
interface fxp1.45 {
    hello-interval 5;
    dead-interval 20;
    bfd-liveness-detection {
        minimum-interval 500;
    }
}

[edit logical-routers]
nigel@itaalab# show r5 protocols ospf area 0
virtual-link neighbor-id 10.0.3.3 transit-area 0.0.0.3 {
    hello-interval 5;
    dead-interval 20;
    authentication {
        md5 10 key "$9$ck.rK8-VYZUHVwPQ";
 ## SECRET-DATA
    }
}
interface fxp2.45 {
    hello-interval 5;
    dead-interval 20;
    bfd-liveness-detection {
        minimum-interval 500;
    }
}

BFD默认的失效时间是传输周期的3倍,在上面的配置中,我们将传输周期设置为500毫秒(ms),链路失效时间将被自动设置为1.5秒,当然,你还可以使用multiplier来定义失效时间相对于传输周期的倍数来进一步缩短或者延长链路失效时间。BFD能够为OSPF服务,但却不像OSPF计时器需要在所有接口下面打开,我们可以按照需求在某几条特定链路的两端路由器接口上设置BFD,以下的输入确认R4上BFD的两个连接,并且确认BDF目前的为OSPF协议服务:

nigel@itaalab# run show bfd session detail logical-router
 r4
                                     Transmit
Address  State Interface Detect Time Interval Multiplier
10.0.2.9 Up    fxp1.45       1.500    0.500       3
 Client OSPF, TX interval 0.500, RX interval 0.500
 Session up time 00:13:15
 Local diagnostic None, remote diagnostic None
 Remote state Up, version 1
 Logical router 1, routing table index 5
                                     Transmit
Address  State Interface Detect Time Interval Multiplier
10.0.2.5 Up    fxp2.34       1.500    0.500       3
 Client OSPF, TX interval 0.500, RX interval 0.500
 Session up time 00:13:15
 Local diagnostic None, remote diagnostic None
 Remote state Up, version 1
 Logical router 1, routing table index 5

2 sessions, 2 clients
Cumulative transmit rate 4.0 pps, cumulative receive
 rate 4.0 pps

JNCIP: JUNOS OSPF虚链路配置 – Part 2

JUNOS实时流量嗅探与跟踪调试OSPF协议信息

继续上文关于邻居认证的话题,要求使用MD5哈希校验加密认证的原因在于使用明文密码很容易在转发的过程中被截获。不需要额外的第三方工具,JUNOS本身内置的嗅探机制:monitor traffic相当于UNIX的tcpdump命令,便能通过实时监控接口流量捕获明文发送的密码。我们先将R5端的认证方式修改为明文认证,密码为:juniper,然后再进行监控:

[edit logical-routers r5 protocols ospf]
nigel@itaalab# show area 0
virtual-link neighbor-id 10.0.3.3 transit-area 0.0.0.3 {
    authentication {
        simple-password "$9$NYVs4UjqQF/aZF/CtIR-Vw";
 ## SECRET-DATA
    }
}

提示:使用monitor traffic的时候,应该对物理接口进行监控,假如仅监控逻辑接口,你进能够获得有限的信息。通常,在监控的过程中终端会快速输出大量的数据,你可以先设置终端软件将日志记录下来,然后通过查找功能定位你希望获得的数据信息。从下面的摘录输出可以发现明文发送的密码很容易的被截获,而对于MD5密文,仅能截获到相关的Key-ID.

nigel@itaalab# run monitor traffic interface fxp1
 extensive
Listening on fxp1, capture size 96 bytes

06:47:16.290110  In 0:aa:0:0:1:74 0:aa:0:0:1:63 8100 82:
 VID [0: 135] (tos 0xc0, ttl 255, id 44498, offset 0,
 flags [none], proto: OSPF (89), length: 64)
 10.0.2.1 > 10.0.2.2: OSPFv2, Hello (1), length: 44
        Router-ID: 10.0.3.5, Backbone Area,
        Authentication Type: unknown (1)juniper^@"
        Options: [External]
          Hello Timer: 10s, Dead Timer 40s, Mask: 0.0.0.0
          , Priority: 0

…………
06:47:20.636209 Out 0:aa:0:0:1:63 0:aa:0:0:1:74 8100 98:
 VID [0: 135] (tos 0xc0, ttl 255, id 44509, offset 0,
 flags [none], proto: OSPF (89), length: 80)
 10.0.2.2 > 10.0.2.1: OSPFv2, Hello (1), length: 44
        Router-ID: 10.0.3.3, Backbone Area,
        Authentication Type: MD5 (2)
        Key-ID: 10, Auth-Length: 16,
        Crypto Sequence Number: 0x0001b8b7
        Options: [External]
          Hello Timer: 10s, Dead Timer 40s, Mask: 0.0.0.0
          , Priority: 0 [|ospf]

显然,尽管monitor traffic能够提供一种快速调试,定位问题所在的方法;然而显然是一种体力活,在监控OSPF路由协议信息的同时,有可能被同时通讯的其他协议的信息干扰;而且不方便将输出信息组织并形成文档。JUNOS同时提供了类似于IOS的debug ip ospf命令的工具:traceoptions,来专门对某种特定协议信息进行监控(不局限于OSPF单一协议),另一方面,traceoptions的记录是一种持续的过程,它将所有的调试信息归档到日志文件中,即便在终端上停止了对该协议的监控,相关的日志信息依然会不断在后台被添加进入日志文件当中。日志文件的位置被存放在/var/log目录(M/T系列路由器)或者/cf/var/log目录下(J系列路由器),在使用逻辑路由器进行练习的环境当中,同一个逻辑路由器上面的所有traceoptions日志文件都会被汇总到与逻辑路由器的同名目录当中。针对上面的情况,我们设置OSPF的traceoptions监控其Hello/error数据包:

nigel@itaalab# run monitor start r3/ospf-log
*** r3/ospf-log ***

Jul 26 07:42:36 OSPF packet ignored:
                authentication type mismatch (1)
                from 10.0.2.1
Jul 26 07:42:36 OSPF sent Hello 10.0.2.2 -> 10.0.2.1
                (vl-10.0.3.5, IFL 0x0)
Jul 26 07:42:36   Version 2, length 44, ID 10.0.3.3,
                  area 0.0.0.0
Jul 26 07:42:36   checksum 0x0, authtype 0
Jul 26 07:42:36   mask 0.0.0.0, hello_ivl 10, opts 0x2,
                  prio 0
Jul 26 07:42:36   dead_ivl 40, DR 0.0.0.0, BDR 0.0.0.0

确定认证失效信息后,我们恢复R5上的认证配置,继续下面的实验。