Juniper Basic Concept

ZA

Juniper Devices' Series Details



Devices

Series

Descriptions

Routers

M-series

The original range of juniper routers

Routing only, no switching

T-series

High speed core router

Getting old now

J-series

Branch office routers

Also end of life

MX-series

Core and edge router

Designed for the network edge
Virtual appliance (vMX) available

ACX

Environmentally hardened routers

PTX

Aka ‘packet transport routers’

High speed routers
Used by service providers and data centres 

SRX

Firewall and branch router

VSRX (virtual appliance) is also available

Switches

Ex

Enterprise grade

From access layer to Tor to Core

Qfx

Very low-latency switches 

Suitable for HFT (high frequency trading)

Others

Nfx

Network services platform (SDN) devices

Junos space

Centralised management

Contrail

SDN controller

Northstar

SD-WAN controller






Juniper Interface Types


Form of Interfaces
IFD           =Physical device
IFL            =Logical Device
IFF            =Address Family
IFA            =Address Entry


Interface Descriptions


ge         =gigabit ethernet

xe         =10g ethernet

et/xle/fte =40g ethernet

et         =100g ethernet

ae         =aggregated ethernet (LAG or EtherChannel)

vlan or irb =a logical interface based on vlan


The interface name has three numbers

Type: x/y/z


x                = FPC (the line card) [flexible pick concentrator]

y                =Module or Slot [

z                =Port number



Management interfaces


fxp0            =physical management interface on a router

em0            =internal ports on a router

me0            =physical management interface on a switch

vme0          =virtual management for a switch virtual-chassis (a switch stack)

others 



Special interfaces

Junos has special interfaces called permanent interfaces


pimd/pime    =special interfaces for multicast traffic

dsc              =discard interface (to silently drop packets)

ipip/gre        =used to create tunnel interfaces

others 



Unnumbered interfaces

An interface without an IP (to save IP)






Juniper Hierarchy



Configuration Hierarchy


1. System 

        >login

            >>user

        >services


2. Interface

>ge-0/0/0

>irb

>>unit10


3. Rrouting -options


4. Protocols


5. Firewall



Interface Hierarchy


Interface=physical parameters (duplex settings, link speed, MTU etc.)


> unit=logical parameters (all logical configuration, sub-interface based on vlan){PBP & HDL-c required unit number is always 0}


>> family (inet=ipv4, inet6=ipv6, ethernet-switching=layer-2)


>>>settings (IP address, port mode=trunk or access, vlan others)






Junipers’ versioning system



M.NZB.S


M            =Major Release Number
N            =Minor Release Number
Z            =Release Type
B            =Build (Major)
S            =Spin (Minor)



Release Types


R        =First Revenue ship (FRS) or a maintenance release (main type of software release)

F           =Feature Velocity release (15.1 only)
B           =Beta release
I            =Internal Release
S           =Service Release
X           =Exception Release





Junos Architecture



Monolithic design

It’s very simple and all processes including memory, management, file management, device management and process management are contained/handled directly in the kernel.  


APPLICATION 

KERNEL

process management

memory management

Filesystems

drivers 

HARDWARE


This is used for a very specific purpose. It can be very fast. However, the entire operating system uses a single memory space. That means a fault in one component can take down the entire kernel. 



Modular design

A modular operating system is a bit different. Each process operates separately and independently, from the kernel in its own protected memory space. Drivers are also independent which means operating can be more ported to the hardware. This is a modern and sophisticated design.


APPLICATION         > file system

                            > drivers

                            > IPC


KERNEL              > drivers, memory, management, etc


HARDWARE







Junos Process


Chassid
    > starts up PFE’s interfaces and other hardware
    > copies run in the RE and each PFE
    > this runs shortly after booting up and is responsible for bringing the line cards on line as well as the interfaces in our hardware components.


DCD
    > device control daemon
    > manages interfaces (encapsulation, timers, vlans, IP)
    > troubleshoot with: show log dcd

MGD
    > management daemon
    > provides device management (ssh, telnet, web)
    > handles CLI commands and configuration
    > used for management traffic


RPD
    > routing protocol daemon
    > manages all routing protocols (bgp, ospf, isis, rip)
    > works out metrics, find best paths
    > multithreaded process and uses scheduling so it doesn't devote all its time to a single task, its important as it can’t be allowed to get too busy working on one thing, then missing routing updates.

SNMPD
    > snmp daemon
    > responds to SNMP polling and sends SNMP traps




Junipers' Control Plane and Data Plane



Each network is a device separated into two logical parts: data plane and control plane. A plane is a logical concept, which explains how traffic is handled.



Control plane


It is responsible for managing traffic sent to or from the device. This includes routing protocol, traffic management, traffic and so on. Routers deal with routing protocol traffic switches respond to up requests and everything needs to be managed with ssh or other protocol, these types of traffic are sent to or from a switch, or rather not through it. This does not transit traffic rather is called exception traffic. Network devices need to receive processes and reply to exception traffic. This is handled by a control plane.



Data plane


This focuses on forwarding traffic from one location to another. When traffic comes in a device is likely to be forwarded to another location. This is called transit traffic. This traffic is passing through the data plane.


RE=Route Engine

PFE=Packet Forwarding Engine



*Special link that connects RE hardware to PFE hardware, that is called fxp1 or em1, the exceptional traffic will be sent through it. No transit traffic will pass through it. 


*fxp0 is a management interface.

* Do not need to configure fxp1


* We can rate-limit traffic to the RE for its protection, this limits how much traffic can be pushed from the PFE to RE. This limiter is here as a protection against denial-of-service attacks. (dos)

* We cannot configure the right limiter ourselves, however we can create our own firewall filter to further limit traffic to RE. We can allow and deny traffic to the RE for its protection.




Routing and Forwarding Table

Dynamic routing traffic (ospf hello and DBD packets) are examples of exception traffic. The RE handles this type of traffic and uses it to build the routing table

Routing information such ospf and bgp comes from neighbor routes, these are exception traffic, this will handle by RE, the RE will take this information along with static connected and local routes and it will build the routing table.

Routing table is also known as the RIB (Routing information base) contains valid routes to reach destination networks. 

Routing table is stored in the RE (control plane), this is maintained by RE so you can think of the routing table as part of the control plane. The RE takes the best routes from the routing table to build the forwarding table.

The forwarding table is also known as the forwarding information base (FIB) and contains layer 2 and 3 information. The RE pushes the forwarding table to the PFE’s (data plane)

The PFE’s can make forwarding decision for transit traffic without needing to consult the RE. FIB is the part of the data plane.

N.B: the routing table contains all valid routes and is stored in RE, the forwarding table contains the best routes and in both the RE and PFE, the forwarding table is more than just layer three routes though it also contains layer two and layer one information, this is so the PFE knows which destination MAC and interface to use for egress traffic.



Routing Table

Ipv4 routing table-inet.0
Ipv6 routing table-inet6.0
Multicast Forwarding Cache-Inet.1, inet6.1
Multicast RPF (mcast loop prevention)-inet.2

There are several routing tables in junos, the main routing table is for ipv4 unique cost routes and is named inet.0. The routing table is for ipv6 unique cost routes and is named inet6.0.

The routing table is separated from the forwarding table, valid routes going to the routing table and the best routes are selected for the forwarding table. That means if we have two identical routes to the same destination, meaning that one is not better than the other they will both go into the routing table. However even though they may be the same, only one selected at random will be installed into the forwarding table.

We can't talk about without mentioning reverse path forwarding. This is a method of determining if a packet is valid or perhaps it is coming from an attacker. Thai is the logic behind reverse path.

If there is a valid route the packet will be forwarded as normal, if there is not a valid route the packet will be dropped. The reason is if there are some attacks that used forged IP addresses. If traffic is coming from an invalid source, then it has likely been forged. This way we can improve security postures. 

RPF operates in one of two modes-strict mode or loose mode.

When operating in loose mode the source ip of the packet must exit in the routing table as long as the route is there, no problem and the packet is allowed.
In strict mode the source ip of the packet must be in the routing table and the packet must be received on the interface that’s used in the route.

If asymmetric traffic is normal in your environment, loose mode is better and if the symmetric traffic is normal strict mode is better.





Junos Firewall Filters

Filters are used to match traffic and perform in action in the most obvious case. This acts as a packet filter or stateless firewall, but they can be used for other things too, like routing policies and quality of service.

The most obvious use of a firewall filter is to permit or deny traffic. This makes our router or switch act as a stateless firewall.

The first component of the filter is called term, each policy contains one or more terms. The terms of the rules, these are like an access control entry in an ACL. These contain the matching conditions and the action. When there is more than one term they are evaluated from the top down in the order in the config.

There is an implicit deny at the end of the filter. This is an invisible term that drops all traffic that is used if no other term matches.

There are two parts of the term, first one is the matching traffic conditions using from statement, the second part to a term is applying an action with a then statement,

Using from statements we can match criteria like these source and destination Ip addresses, the source and destination ports protocol and packet header fields like cross markings. Multiple from statements in a single term are also valid. If there are multiple from statement, they must all match for the entire term to be considered a match.

If the term doesn't match processing moves onto the next term.

From statements are optional, if there is no from statement, then all traffic will match. 

Then statement will only apply if the traffic has been matched with a from statement. We can apply more than one action in some cases.


Simple actions

Accept (terminating)
Reject (with ICMP response) (terminating)
Discard (silently) (terminating)
Syslog (non-terminating)
Sample (non-terminating)
nest -term (non-terminating)

*Reject will drop the packet and it will send back in ICMP unreachable message. Discard will silently drop the packets.

*When terminating action is applied, processing of the packet filter ends. No further terms are evaluated. Non-terminating actions are not final, which is why we can apply more than one action in some cases. We can have several no terminating actions per term, but only one terminating action.

When we apply non-terminating action, they technically come with an implicit allow action. Terminating would prevent any other terms from being evaluated. To work around this, we can't apply the next term action.


Firewall purposes


packet filtering
We apply it to an interface. Each interface can have filters applied in an ingress direction and in an egress direction. In config we refer to this as input and output. We can apply one policy to several interfaces if we want to.

*we can apply more than one policy applied to a single interface. 

For example-we have general policies that you apply to all interfaces and then more specific policies that you apply to some of them.

This can be done in two ways -nested and list


Nested approach-we have a single firewall filter applied to the interface. This filter contains its own terms, conditions and actions. Some of these terms will refer to other firewall filters. This is a hierarchical style approach.

1. Nested
>
>
>




List-we can apply directly to the interface as a list using square brackets. The filters are evaluated sequentially in the order that they appear in the list. When you have a list of firewall filters you can start using the next policy action. If this is applied, the rest of the current policy is skipped and the next policy in the list is evaluated.

2. List     >     >     >




policies and quality of service
Juniper has a loopback interface, which can be divided into logical interfaces with unit numbers. In Junos we have one loopback interface loopback zero. This by default comes configured with unit zero and ip address.

One unit will have the ipv4 127.0.0.1-this is logical connection to the routing engine

The filter is applied under the family, you need to use the same family as you did in the filter.

* Protecting the RE using a filter is one form of control plane protection (CoPP)

If we added a log action to our firewall filter term, we could see additional information using the 'show firewall log' command.

Stateless filtering does not track the state of a flow of traffic like a real firewall would for stateful firewall filtering. SRX firewalls can do stateful firewalling.






Juniper Active and Candidate Area


Active

The configuration that is running right now


Candidate

The configuration we are preparing, not active yet


Commit command moves the candidate config to the active config



Location of the candidate

/var/rundb/juniper.data


ex: run file list /var/rundb






Juniper Devices' Modes


Shell Mode
The Initial mode of the device.


Operational Mode
We cannot not configure here, check the configuration of the devices. This is like privileged mode of cisco IOS.


Configuration Mode
Here we can configure the devices.




Juniper Devices' Keyboard shortcuts

Ctrl+u        : erases the entire command you have been typing
Ctrl+w       : erases word by word
Ctrl+a        : moves to the start of the line
Ctrl+e        : move to the end
Alt+b          : move back one word
Alt+f           : move forward one word
Clt+k          : delete from the cursor to the end of the line
Ctrl+l          : redraw the current line
Ctrl+p/n      : repeat previous or next command in the history




















*****

0 Comments