This is an old revision of the document!
MX SERIES
CLI cheatsheet: junos-cli-chearsheet.pdf
BGP
Adj-RIB-in / Adj-RIB-out
show route receive-protocol bgp <peer-ip> show route advertising-protocol bgp <peer-ip> # use this for internal 'show route range <prefix>'
To see which routes are using the primary or secondary BGP (equivalent to “sh ip bgp”)
show route protocol bgp show route protocol bgp terse
Shows me the prefixes I reach through this bgp link. monitor interface traffic detail
show route protocol bgp next-hop 10.128.2.29
Example eBGP config
set protocols bgp group PEER type external set protocols bgp group PEER local-address x.x.x.x set protocols bgp group PEER peer-as X set protocols bgp group PEER neighbor 10.128.2.10 import X-IMPORT set protocols bgp group PEER neighbor 10.128.2.10 export X-EXPORT set protocols bgp group PEER neighbor 10.128.2.10 bfd-liveness-detection minimum-interval 5000 set protocols bgp group PEER neighbor 10.128.2.10 bfd-liveness-detection multiplier 3
Also interesting, try to use them more frequently External Link:
show bgp neighbor # Plenty of info about the neighbor show bgp group show route aspath-regex # Equivalent to show ip bgp regexp
BGP TIMERS:
set protocols bgp group test neighbor 1.1.1.1 hold-time 30 # HOLD-TIME (default 90sec) Keepalive is defined indirectly as 3 times less. Note Cisco default is 60 set protocols bgp group test neighbor 1.1.1.1 out-delay 30 # how long a route must be present in the Junos OS routing table before it is exported to BGP ; Default 0 set protocols bgp group test family inet unicast delay-route-advertisements minimum-delay inbound-convergence # waits a specified period of time for its neighbors to establish peering sessions ; in cisco 'bgp update-delay.
DEPLOYMENT
To get inspiration: External Link & this seminal External Link
- Protect BGP
- irb / bridge domain relationship and implement inter-vlan filtering
- Be sure loncr02 is sending pre-pending, review policy options
- To do so, I remove the aggregate route (seems to add longer!) and add a discard route with /24. Verify nothing gets broken!
—
PREPENDING:
We normally use export but we can use import sometimes:
http://www.techexams.net/forums/juniper-certifications/63609-bgp-path-prepending.html
ANNOTATE JUNOS CONFIGURATION External Link
annotate route 192.193.0.0/16 /* CITI /16 Publicly assigned Prefix */
SYSLOG
RPD_BGP_NEIGHBOR_STATE_CHANGED
BFDD_TRAP_MHOP_STATE_DOWN RPD_OSPF_NBRDOWN RPD_OSPF_NBRU ....
To display the list of messages that applies to the version of the Junos OS that is running on a routing platform, enter Junos OS CLI operational mode and issue the following command:
help syslog ?
More in: Juniper.net. Search for: syslog-displaying-interpreting-syslog-msg-descriptio
And even moer in:http://www.techietek.com/2014/06/24/logging-eventabout:newtabs-routing-protocols-juniper /
MAC ADDRESSES
All circumscribed to the bridge domains:
show bridge mac-table show bridge mac-table bridge-domain BD333_444
INTERFACES
See External Link
- Service interfaces
- mams-0/0/0 # enables you to combine multiple services interfaces to create a bundle. lb
- mc-ae # multi chassis displays information about the aeX interfaces.
- pfe-0/0/0 # internal, pseudo-interface
- pfh-0/0/0 # internal, pseudo-interface
- si-1/0/0 # si—Services-inline interface. Supported only by MPCs on MX. makes it possible to provide services without a special services PIC.
- ms-0/0/0 # Multiservices interface.
INSTANCES
- VRF is configured as a distinct type of routing-instance (literally, instance-type vrf).
- Virtual router
- [edit routing-instances Name] you add a ref to the interfaces ther but the logical configuration of the interfaces itself is done under the main router.
- Logical system
- activates a new routing deamon in the router
- is configured exactly like the main router but under the [edit logical-systems Name] logical interfaces included.
- Segregated daemon. All independent in the configuration. Logical systems can only be connected through external interconnections (remember Olive with (qemu) external cross connections. All elements contained in [edit logical-systems test]
- Routing instance (~= vrf ; Used in EX series)
NATTING - NAT NOTES
For this we can use the multipurpose mic: External Link
This is an overview of the natting types with MS-MIC line cards:
https://www.juniper.net/documentation/en_US/junos/topics/concept/network-address-translation-overview.html
Basic natting (static 1:1) can be done with INLINE cards. Better performance.
- Multiservices MIC and Multiservices MPC (MS-MIC and MS-MPC):\\
- Stateful firewal syslogs: System Logging for Service Sets
More advance natting like dynamic nat requires service card. Cofiguration examples here: External Link and here External Link
There are to styles
- Using next-hop-service inside the service-set definition External Link
- Configuring the service set directly on the interface
show services stateful-firewall conversations # to see the translations
show extension-provider system packages interface ? # to see what services are enabled in each of the ms interfaces
Good example on ms-mic used as a firewall with stateful rules: https://www.saidvandeklundert.nl/mx-ms-mic-16g-mx104-quick-start.php
TO VERIFY IT:
BASIC-NAT44:
Here we use the si- (service-inline) interface to process the traffic.
show services inline nat pool # for BASIC NAT44
NAPT-44:
show services flows # shows in-outboubd and out-inbound traffic show services flows service-set SNAT-Service-Set # Shows you full 'conversations' show services nat pool # configuration show services nat statistics # full stats show services service-sets summary # cpu show services sessions utilization # cpu green, yellow, red.. show services sessions count # session count
Then to see the nat logs (defined in the nat rule with a then syslog), we need to do this. Note is not logging it locally, only in the remote server!:
set services service-set SNAT-Service-Set syslog host local class nat-logs # set system syslog user * any emergency set system syslog host 10.8.11.31 any any set system syslog host 10.8.11.31 firewall any set system syslog host 10.8.11.31 facility-override local4 set system syslog host 10.8.11.42 facility-override local4 set system syslog host 10.8.11.43 facility-override local4 # # logs in backups.dc$ tail -f /var/log/router | grep SNAT
STATEFUL FIREWALL WITH THE MS-MIC CARD
show extension-provider system packages detail interface ms-0/0/0 # to check the ms card capabilities
- Attacks with stateful - DDOS and alike: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/services-configuring-ids-rules-msmpc.html
- ASA: Global timeouts see pg 44: https://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/conns_connlimits.pdf
STATELESS FILTERING IN THE MX
- from tcp-established # for the return traffic
- Attacks with stateful - DDOS and alike https://ddos-guard.net/en/info/blog-detail/protection-against-ddos-traffic-geofiltering-on-juniper-routers-applying-source-class-usage-scu
NOTES:
- Lots of ineteresting links here for attacks preventios
- TODAY, upd based attacks are more prevalent (eg ntp). check versisign blog.
- Sometimes simple traceroute is revealing too much information about the device (eg router vendor, link type)
DDOS PROTECTION BUILT IN
ssh loncr01.dc " show ddos-protection protocols" | egrep "Protocol Group|Drop" | egrep -v ": 0 ssh loncr01.dc " show ddos-protection protocols" | egrep "Protocol Group|Dropped: [1-9]"
CONFIGURATION MANAGEMENT:
To check Previous Commits. Current and past (50) configs are in /config/juniper.conf.x * Global timeouts in the ASA, see pg 44: https://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/conns_connlimits.pdf
show system commit > show system commit 0 2017-07-22 12:15:05 UTC by jaime_santos via cli commit synchronize show system rollback 2 compare 0 # to compare rollback 2 # to jump to the state in 2
show | compare rollback 3 # To see previous states (from the config mode):
Config files location: External Link. Current config in /config . Past configs in /config & /var/db/config
Apply configurations. See this Link for examples:
[edit] user@host# load (factory-default | merge | override | patch | replace | set | update) filename
# load patch terminal # load merge relative terminal # loads in the same hierarchical manner we see it in the config. # load merge ftp://username:password@172.30.36.59/switch_juniper.conf.gz_20080304_141543 # Loads it from a file. note it Requires to be zipped!
IRB INTERFACES TSHOOTING
This links has very useful steps: External Link
BSD bash cli:
start shell user root
For interesting file locations see: https://www.juniper.net/documentation/en_US/junos/topics/task/operational/junos-cli-device-files-directories-viewing.htmlExternal Link : /config for therunnig configuration + some rollback files ; /var/db/config (
LOGOUT users:
show system users no-resolve request system logout terminal q0
PACKET CAPTURE:
monitor traffic interface xe-1/0/32 no-resolve layer2-headers print-hex monitor traffic interface ge-0/0/17 [matching "port 1812 && udp"] [size 1500] [extensive] [ | save /var/temp/capture.txt] run monitor traffic interface ge-0/0/x matching arp write-file capture.pcap <<<<< write-file is a hidden command so type it ou
- See Link
- See filters: External Link
- Not only family inet but important the firewall family bridge (layer 2) filters, note how they are applied too 'forwarding-options filter' : Example here
Information for the JTAC
request support information | save IM033479 # Equivalent to Cisco "show tech-support" file archive compress source /var/log/* destination /var/tmp/re0.tgz
Interesting diagnosis: “We found in our SecureMeeting that you have evidence of host path congestion as shown in … and the peer flapping due to hold-time-expired is a classic symptom of host path congestion.”
show pfe statistics traffic | match "hardware input"
MX UPGRADE ISSU:
https://www.juniper.net/documentation/en_US/junos/topics/task/installation/issu-upgrading.html
file copy ftp://myid@myhost.mydomain.net/jinstall64-14.1R4.10-domestic-signed.tgz /var/tmp/jinstall64-14.1R4.10-domestic-signed.tgz R0> request system software in-service-upgrade /var/tmp/jinstall64-14.1R4.10-domestic-signed.tgz reboot R1> request chassis routing-engine master acquire
If problems External Link:
request system software abort in-service-upgrade
JUNOS NAMING CONVENTIONS:
- worldwide: No crypto at all, so only telnet and http management.
- domestic/no name: crypto both for management and data plane.
- limited: ssh and https management, but no dataplane encryption (eg. MacSec). intended only for countries in the Eurasian Customs Union because these countries have import restrictions on software containing data plane encryption.
UPGRADE JUNOS
https://blog.marquis.co/upgrading-dual-routing-engine-juniper-mx-series/
https://kb.juniper.net/InfoCenter/index?page=content&id=KB8911&actp=METADATA
set cli timestamp request support information | no-more # have this in a file case thorough checks are needed show interfaces terse | except down | no-more show chassis hardware show arp no-resolve | no-more show bridge mac-table | no-more show system alarms # be sure there's an up-to-date backup of the config in rancid # check console access to the device file copy /var/tmp/jinstall-ppc-16.1R5.7-signed.tgz re1:/var/tmp/ request routing-engine login other-routing-engine # and check file and checksum in re1 delete system syslog host 10.8.11.42 any any delete system syslog host 10.8.11.43 any any deactivate services adaptive-services-pics traceoptions deactivate interfaces traceoptions deactivate routing-options traceoptions deactivate protocols bgp traceoptions request system snapshot # do this both in re0 and re1 commit synchronize
- 1.- Check ssh sessions are logging; issue and rsi
- 2.- RE0 (ZERO)
deactivate chassis redundancy graceful-switchover deactivate routing-options nonstop-routing deactivate protocols layer2-control nonstop-bridging commit synchronize show chassis routing-engine # check all looks ok in re0
- 3.- RE1 (ONE)
re0> request routing-engine login other-routing-engine # or we can directly console to r1 show chassis routing-engine # check all looks ok in re1 request system software validate add /var/tmp/jinstall-XXXXXXXXXXXX-domestic-signed.tgz request system reboot # Wait until re1 ungrade is Finished # The total upgrade takes about : 30 mins # The reboot itself takes about : 15 mins # The forwarding plane switch-over takes: 2mins # During that period, the re being upgraded moved from 'backup' to 'present' show chassis routing-enginen # both re will show (Master and Backup states)
- 4.-RE0 (ZERO)
request chassis routing-engine master switch # note we need to switch from the Current Master RE warning: Traffic will be interrupted while the PFE is re-initialized Resolving mastership... Complete. The other routing engine becomes the master... show chassis routing-engine # master will show in slot 1 ; Check Traffic is passing OK in re1 now request system software validate add /var/tmp/jinstall-XXXXXXXXXXXX-domestic-signed.tgz request system reboot # Wait until re0 ungrade is Finished # The total upgrade takes about : 30 mins # The reboot itself takes about : 15 mins # The forwarding plane switch-over takes: 2mins # During that period, the re being upgraded moved from 'backup' to 'present' show chassis routing-enginen # both re will show (Master and Backup states)
- 5.-RE0 (ZERO)
activate chassis redundancy graceful-switchover activate routing-options nonstop-routing activate protocols layer2-control nonstop-bridging commit synchronize
- 6.- RE1 (ONE)
show chassis routing-engine # R0 (still backup) r0 Must be healthy! request chassis routing-engine master switch # << note now the failover is hitless, as the fowarding engine already has the new firmware show chassis routing-engine
- 7.- IN BOTH RE0 AND RE1
request system snapshot
- 8. IN RE0
edit set system syslog host 10.8.11.42 any any set system syslog host 10.8.11.43 any any activate services adaptive-services-pics traceoptions activate interfaces traceoptions activate routing-options traceoptions activate protocols bgp traceoptions commit synchronize show version invoke-on all-routing-engines show task replication show system switchover # from the backup re set system services ssh root-login allow # after 16.1 this is required for root ssh. better keeping it disabled.
TO MANUALLY FAILOVER ROUTING ENGINE:
request chassis routing-engine master switch #from the current MASTER RE !! request routing-engine login
TO RESET RE:
request system reboot [at ; other-routing-engine ; both-routing-engines]
IN EVENT OF FAILED UPGRADE:
request system snapshot recovery
—-
BGP
Adj-RIB-in / Adj-RIB-out
COPY CONFIGURATION
Via scp:
(see below)
Via Ansible:
SETTING SSH & USERS
SSH:
set system services ssh root-login allow set system services ssh protocol-version v2 set system services ssh rate-limit 30 set system services netconf ssh
USER:
set system login user jaime_santos uid 2008 set system login user jaime_santos class super-user set system login user jaime_santos authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpFIrjBUVFEcnS3xsgyIm//Oj5ubMvx2/d5tZpF4dJAgV75ApJj24Qt5lxRqFUXlsHRBiWO/abFf4X0zFoFvK8oLNjZjBuYv7+/XqoU/ZYmI8mhwgrbYr/Qy1IIWNoQGqZhn7QxZTSCKxA/QAKrOfIZO1oooTVFoco8YeMHtd/1HwHDGjpX3AklDRs0pOUefmreHd4mtpApeaf7YAI5eWbdUBMGKaPdX33lGOM5Gh/FgIbFVS8aTw6whaBn6Lpa5aErr/YCPql6FZRXRTLV9OBB4XLXy0u/lp+Gview/Za8wEjQKA6PZYFtoGJa2WqLQeoW3oTnfCbX0rwD9qykCiP jotasan@loclocalhost.localdomain"
Kick out logged users with pid:
request system logout pid <pid>
—-
MANAGEMENT INTERFACES
Many types of Junos OS platforms include a dedicated management port on the front panel. For others, you can configure one of the Ethernet ports to act as the management (out of band) interface. Examples of mgmt interfaces are: me0, em0, fpx0.
HARDWARE
CARDS:
- Multiservices DPCs
- PICs
- MPC (mpc > fpc > mic)
- Modular Port Concentrators (MPCs) provide packet forwarding services. The MPCs are inserted into a slot in an MX240, MX480, MX960, MX2010, or MX2020 route. Each DPC/MPC contains either 1/2/4 PFEs, each of which is self contained in terms of forwarding decisions.
- MIC
- Provide the physical connections to various network media types. MICs allow different physical interfaces to be supported on a single line card.
- FRUs
- components that can be replaced at the customer site. Minimal router downtime. We have Hot-removable and hot-insertable FRUs—You can remove and replace these components without powering off the router or disrupting the routing functions. Hot-pluggable FRUs—You can remove but the routing functions of the system are interrupted when the component is removed.
- SCB (Switch and Control BOard): Is a board.
MODELS:
- MX80 : No switch fabric, all forwarding made by a single chip. x2 MIC (Modular Interface Cards). RE built in in the motherboard, no ISSU. 55Mbps 1m entries in the FIB, 4m in the RIB. FPC0 , FPC1. Inside the FPC we have PIC Cards
- MX104 : RE card. 4 built in 10G SFP+. x3 (built in) MPC (FPC0 to FPC2)
- MX240 : Chassis supporting all: RE, SCB and FPC. 5u tall
CHASSIS:
Openconfig project : Aimed to unify configuration apis regardless of the hardware/vendor.
Uses YANG with leaves called containers. Different from snmp in they are not numbers but alphanumeric
BGP AND OSPF IN JUNOS (cisco vs juniper)
https://www.juniper.net/documentation/en_US/junos/topics/example/bgp-preference.html
- EBGP AND IBGP have the same preference 170 but EBGP is always preferred. Of all the routing protocols, BGP has the highest default preference value, which means that routes learned by BGP are the least likely to become the active route.
- Junos OS chooses the OSPF route, because of the default preference 10 for an internal OSPF route and 150 for an external OSPF route
- In our case OSPF is less preferred than xBGP set protocols ospf external-preference 200
- IOS follows Rfc 1771 and eBGP routes are advertised to iBGP peers. Junos: Not by default (on purpose as rfc behaviour might clog ibgp and even traffic loops).to make junos compliant with rfc and IOS we can do advertise inactive.
- Juniper created a compatibility knob for this situation, called advertise-inactive. When applied to an EBGP peering session, this knob results in the advertisement of the best BGP route that happens to be inactive because of IGP preference.
- junos 'route preferences': OSPF-IA 10 ; IS-IS-L1-int 15 ; IS-IS-L1-int 18 ; OSPF-E 150 ; IS-IS-L1-ext 160 ; IS-IS-L1-ext 165 ; BGP 170
- To resolve the possible compatibility issues with ios:
- we can change the preference for the ospf routes (eg: to 200)
- we can use advetise-inactive « this way junos advertise via eBGP the best bgp route (still inactive). internally junos still uses the IGP (better route preference)
* ARP *
show arp no-resolve | match entries # to see how often they vary'\
By default, the ARP aging timer is set at 20 minutes.
show arp expiration-time # flag none means dynamic mapping.
POLICERS
From : https://www.juniper.net/documentation/en_US/junos/topics/concept/policer-overview.html
locr# show | compare
[edit firewall family inet filter GYRON-Uplink term VLAN400-OUT-Crawlers-Allow-HTTPS then]
+ policer p-icmp-500k-500k-discard;
[edit firewall]
policer Limit_2M { ... }
+ policer p-all-1m-5k-discard {
+ if-exceeding {
+ bandwidth-limit 1m;
+ burst-size-limit 5k;
+ }
+ then discard;
+ }
+ policer p-ftp-10p-500k-discard {
+ if-exceeding {
+ bandwidth-percent 10;
+ burst-size-limit 500k;
+ }
+ then discard;
+ }
+ policer p-icmp-500k-500k-discard {
+ if-exceeding {
+ bandwidth-limit 500k;
+ burst-size-limit 500k;
+ }
+ then discard;
+ }
COMMUNITY
set policy-options policy-statement iBGP-export-prepend term export-internal from interface irb.2 set policy-options policy-statement iBGP-export-prepend term export-internal from interface lo0.0 set policy-options policy-statement iBGP-export-prepend term export-internal then community add TO-COGENT-COMMUNITY1 set policy-options policy-statement iBGP-export-prepend term export-internal then as-path-prepend "123456 123456" set policy-options policy-statement iBGP-export-prepend term export-internal then accept set policy-options policy-statement iBGP-export-prepend term END then reject set policy-options community TO-COGENT-COMMUNITY1 members 174:70 show route advertising-protocol bgp x.x.x.x detail [...] BGP group cogent-v4-AS174 type External Nexthop: Self AS path: 123456 123456 [123456] I Communities: 174:70
VLANs AND DOT1Q INFORMATION , IN MX IS BRIDGE DOMAINS!:
https://forums.juniper.net/t5/Routing/Cannot-use-command-quot-show-vlan-quot-in-MX960/td-p/292147
show bridge domain # ~ like "show ethernet-switching interfaces" in EX series
TROUBLESHOOTING
>set cli timestamp # FIRST THING THIS AND BE SURE WE'RE LOGGING THE SESSION!
RIB-FIB MANAGEMENT:
'Equivalent' to cef (not that junos doesn't run/need cef):
show route forwarding-table show l2-learning interface # mac and STP status
Test traffic with firewall filters:
set interfaces irb unit 599 family inet filter input icmp_count_out set interfaces irb unit 599 family inet filter input icmp_count_in set firewall family inet filter icmp_count_out term 1 from source-address 10.8.40.169/32 set firewall family inet filter icmp_count_out term 1 from destination-address 8.8.8.8/32 set firewall family inet filter icmp_count_out term 1 then count icmp_out set firewall family inet filter icmp_count_out term 1 then accept set firewall family inet filter icmp_count_out term 2 then accept set firewall family inet filter icmp_count_in term 1 from source-address 8.8.8.8/32 set firewall family inet filter icmp_count_in term 1 from destination-address 10.8.40.169/32 set firewall family inet filter icmp_count_in term 1 then count icmp_in set firewall family inet filter icmp_count_in term 1 then accept set firewall family inet filter icmp_count_in term 2 then accept show firewall | match icmp clear firewall filter icmp_count show firewall filter icmp_count
Monitor packets in the interface (in the irb).
Note that in case of irb the 'host' in host in the match expression is the natted destination. If we put the source of the traffic (ie the host) it will not work. We need to put either the natted destination or the irb ip itself. More examples in this External Link
monitor traffic interface irb.599 no-resolve matching "icmp && ( host 148.64.56.12 or host 148.64.56.13 )"
FORWARDING CONSOLE TROUBLESHOOT
PFE WALK (notes) - CONNECTION TO AFEB0
- We identify/capture the packet in question (checking one by one the 'parcels' usually in hexadecimal, looking for a pattern)
- We dump it by doing 'test jhn 0 packet…'`
start shell pfe network afeb0 # gets into the PFE 'board' shell MX104-ABB-0(LONFW02-RE0 vty)# test jnh 0 packet-via-dmem inject trace # don't issue this until fully understood!
To stop log messages from filters to afeb0 External Link
set syslog tty disable
To execute commands in the pfe:
request pfe execute target afeb0 command "show jnh 0 pool usage"
- Trio chipset:
- EDMEM : The external data memory (EDMEM) is responsible for storing all of the firewall filters, counters, next-hops, encapsulations, and hash data.
HIDDEN COMMADS:
3 ways of configuring dot1q in the MX:
note: the maximum mtu for the mx104 cards in 9192 B
FLEXIBLE ETHERNET SERVICES (mix both styles in same interface, ~cisco ):
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/switches-interface-flexible.html
- ENTERPRISE VS SP:
- family bridge interface-mode trunk VS encapsulation extended-vlan-bridge
SERVICE PROVIDER BRIDGE STYLE
set interfaces xe-1/0/0 gigether-options 802.3ad ae1 set interfaces ae1 mtu 9192 set interfaces ae1 aggregated-ether-options lacp active set interfaces ae1 aggregated-ether-options lacp periodic fast set interfaces ae1 vlan-tagging set interfaces ae1 encapsulation extended-vlan-bridge set interfaces ae1 unit 2301 vlan-id 2301 set bridge-domains bd2301 vlan-id 2301 set bridge-domains bd2301 interface ge-0/0/0.2301 set bridge-domains bd2301 routing-interface irb.2301 set bridge-domains bd2301 service-id 20 set interfaces irb unit 2301 family inet address 172.16.0.10/30 # set protocols bgp group FC-Zayo-Peer type external set protocols bgp group FC-Zayo-Peer import FC-Zayo_IN set protocols bgp group FC-Zayo-Peer export FC-Zayo_OUT set protocols bgp group FC-Zayo-Peer peer-as 31898 set protocols bgp group FC-Zayo-Peer neighbor 169.254.225.2 local-address 169.254.225.3 set policy-options policy-statement FC-Zayo_IN term Reject then reject set policy-options policy-statement FC-Zayo_OUT term Reject then reject # CISCO SIDE: interface GigabitEthernet2.2301 encapsulation dot1Q 2301 ip address 172.16.0.9 255.255.255.252
ENTERPRISE BRIDGE STYLE
del int xe-1/0/0 set interfaces xe-1/0/0 gigether-options 802.3ad ae1 set interfaces ae1 mtu 9192 set interfaces ae1 unit 0 family bridge interface-mode trunk set interfaces ae1 unit 0 family bridge vlan-id 2301 # set bridge-domains bd2301 vlan-id 2301 set bridge-domains bd2301 int ae1.2301 set interfaces irb unit 2301 family inet address 169.254.225.3/31 # set protocols bgp group FC-Zayo-Peer type external set protocols bgp group FC-Zayo-Peer import FC-Zayo_IN set protocols bgp group FC-Zayo-Peer export FC-Zayo_OUT set protocols bgp group FC-Zayo-Peer peer-as 31898 set protocols bgp group FC-Zayo-Peer neighbor 169.254.225.2 local-address 169.254.225.3 # set policy-options policy-statement FC-Zayo_IN term Reject then reject set policy-options policy-statement FC-Zayo_OUT term Reject then reject
IPSEC VPN (MS-MIC MS-MPC):
FILTERS:
set firewall family inet filter vpn-filter term admin-services-ike from source-prefix-list List-IPs set firewall family inet filter vpn-filter term admin-services-ike from protocol udp set firewall family inet filter vpn-filter term admin-services-ike from port 500 set firewall family inet filter vpn-filter term admin-services-ike then accept set firewall family inet filter vpn-filter term admin-services-esp from source-prefix-list List-IPs set firewall family inet filter vpn-filter term admin-services-esp from protocol esp set firewall family inet filter vpn-filter term admin-services-esp then accept
TROUBLESHOOT:
show services ipsec-vpn ipsec security-associations detail # like 'sho crypto isakmp sa' show services ipsec-vpn ipsec statistics show services ipsec-vpn ipsec security-associations ipsec_ss_ms_5_2_01 # # like 'sho crypto ipsec ' # like 'sho crypto ipsec sa'
