Hello all ,

Today i was working on a ticket which was based on an interface down alert and was observing all the details what Network management system has thrown on my face … i was seeing it and was impressed with amazing details it was showing all of the values … quickly my brain recalled that it was from snmp and i was very happy for my memory power haha

as i was thinking about the monitoring system and wanted to set it up so that i could gain some experience on it i went to solar winds website and was happy to see that they are offering a free trial of all of their products ..

the point is how do i have such  a huge equipment stance as a Data center ..and quickly i thought about a wild guess of associating the trial Network management system With Gns3 .. i quickly downloaded their Network monitoring software which allowed me to see only one product ..nevertheless i installed it and was thinking how could i associate it with my GNS3 … i did it finally and was seeing all the results and snmp world as iam unware of snmp stuff as such ..still i dont know how it happens as my goal from tomorrow would be precisely that ! .. i got some results and would show that to you …

This is still in Idea phase hope it grows more and gives all of us a huge familiarity of all the technologies with a open source software such as gns3 .. thank you guys @ gns3 who made it possible

Regards

Rakesh

Share on Facebook

Well i was studying about Routing policy and their implementation and their power in filtering out and filtering in updates … i knew this before as many access lists , distribute lists and other do the same filtering .. but was studying an interesting thing called Radix tree which showed a very basic way in which ’1′ or ’0′ would change the ip address / subnet … i wish i could have showed the same but instead of me telling i would advice you to do some search and feel good after reading !

In the mean while iam working on Quality of service and may be going with some internetwork expert work books … trying to attend Narbik bootcamp in a near by location .. had a chat wid Narbik and waiting for his email for other details

i will post you updated about the ccie and status …. i would be attempting lab some where soon and dnt know how that goes ! iam working with Junipers Adaptive threat Management and Data center architecture   …. some unified solutions

Keep Rocking

Rakesh

Share on Facebook

M and MX series overiew
———————–

juniper is #2 with 48% market share

consolidation , complexity , reliability , security&compliance is evolution

reduce tco, increase roi , profitability

Advance Routing and sofware
—————————

two tiered collapsed architechture

virtualisation , low latency , carrier class reliablity , qos , security

one operating system , one single software release , one common architechture

junos trio chipset

mx 3d industry leader

carrier class reliability,reduced network complexity , sustainablity and operational efficiency , improved end user exp and app perf , improved network flexibility

mcast distribution tree – spt or source tree / shared tree

forwarding delay – advance asic
transmission – user higher port speeds
propagation – reduce distance between source and recievers
end-to-end latency – implement all of them

forwarding path is full of asic based providing low latency

optimized hardware

i-chip asic for intensive services , pfe , redundancy

nsr – non stop routing , issu in-service software upgrade

graceful routing engine switchover
———————————-

backup routing states are maintained with keepalive mechanism

Nonstop Active Routing
———————-

maintains all the state routing engines , hence no routing latency in switchover

Unified in-service software upgrade
———————————–

can be installed with new versions without
reloading the device by installing it in the standby routing engine

quality of service
——————

standard 8 hardware ques with over 1000 to choose from (mcli)

acl and policers
—————–

m/mx/t have the most flexible and sophisticated policers in the industry

memory allocation – dynamic (mad)
———————————

provides right amount of bandwidth to queues

rewrites / marking
——————

ingress dscp rewrite / egress rewrite
802.1p ieee bits

mpls network virtualisation
—————————

support network segmentation and privacy
improve network security
scales for future growth

enterprise routing portifolio
—————————–

mx – optimized for wan gw , campus , dc aggr and core

m – application at campus backbone , wan edge

t – carrier class multi-service routing system,high perf

mx80 , mx240 , mx480 , mx960

ise – intelligent services edge
——————————-

not a product , its a service which enables high performance and scale , service flexibility and operational efficiency

mx 3d aggregation
——————

16x10gbe ports , 120 gbps (mx 240 mx 480 mx 960)

eantc -  european advanced networking test center

mx 3d 100gb3 line card – line rate 100mb

16port ge line card – regional high speed metro network,suitable for large data center

mx80 3d ethernet services router – worlds most powerful 3.5 inch router

mx80 – any where dc

junos space simplicty , reliability ,scalability

mx960 ethernet services router
——————————

14 slot chassis , 172 ports , front to back cooling

dpc – dense port concentrators

re is the daughter card for scb (switch control board)

mx480 ethernet services router
——————————

smaller firm factor than mx960 and offers
half capacity than mx960

8 slot chassis cards (6+2)

side to side cooling

mx240 ethernet services router
——————————

half of mx480 performance

4 slot chassis (2+2 or 3+1)

mx fpc carrier cards (non ethernet intf)

mx architecture
—————-

2-3 switch control boards(scb’s)
scb’s fully redundant
packet order maintained
qos maintained

mx fpc architecture
——————–

pics are hot swappable and support oir
l3 ichip and l2 ese npu as the dpc’s
fpc supports l2 and l3

dpc-r(switching and routing) , dpc-x(scaled-down switching routing) , dpc-q (queing)

mx family has fuller and richer capabilities over ex

M-series
——–

m7i , m10i , m120 , m320

m7i multiservice edge router
—————————-

1 fixed ge or 2 fixed fe ports

16mpps lookup perf

m7i components
————–

4 pic slots , fic 2 fixed fe , side to side cooling , redundant ac or dc pwr supplies,20 g harddrive , pcmcia , 2 serial aux , ethernet card intf, 850 mbps(tunnel services)

m10i multiservice edge router
—————————–

most compact m series w/ fully redundant common hardware

m10i components
—————

8 slots for hot-swappable and exchanble with m5/m7i/m10i pics , redundant re and fe , redundant pwr ac / dc

m120 multiservice edge router
—————————–

120 gigs throughput , 90mpps lookup , 8 queues per intf

m120 arch
———

4+2 fpc slots,one pfe per feb , 10gbps full duplex per slot , 15mpps per feb

m120 10gig capable high-end enterprise router

type 1 : 4pics / fpc 1gig/sec
type 2 : 4pics / fpc 2.5gig/sec
type 3 : 1 pic /fpc 10 gig/sec

two cfpcs for wan intf 10ge or option for no cfpcs

front to back cooled system

routing engineris a daughter card for scb

m120 ip services pic
——————–

provides hw accel
encryption servies pic – ipsec
monitoring services pic – j-flow
tunnel services – gre ipinip
multi-services nat
linkservices – mlppp , mlfr

m320 multiservice edge router
—————————–

same arch as 120 and mx offer with diff type of form factor

8fpc slots , 20gbps full dup , 40mpps per fpc

4 scbs

e3 fpc overview
—————-

type 1(4) , 2(4) , 3(2 – 10gigs each),
redundant power supplies

non – ethernet intfs – then m-series

only ethernet intfs – them mx but you have an option for non-intfs

m-series offer with l3 where as mx can as work as l2

partner solution development platform

customers
———

nyse – new york stock exchange
doe  – department of energy
laboratory of neuro imaging

Regards

Rakesh

Share on Facebook

upgrade path
————-

cisco vs juniper

1600 series vs srx 100

1600->1700->1800 to ssg20, srx210

2500->2600->2800 to srx140,srx240,j2320,j2350,j4350

3600->3700->3800 to srx650,j4350,j6350

7200->7600->M7i srx3000 or srx5000(worlds fastest fw)

7500->7600-> m series or srx3000/srx5000

————-

srx and j-series features
————————-

best in class routing with bgp , rip , ospf , mcst , isis

rich set of wan and lan intf

quality of service

support acl , stateful fw inspect , ipsec , ddos screeing , ids ips , webfilt ,

mpls ce pe and ipv6 routing

fw , nat ,ipsec etc

—————

power of junos
————–

one os(branch and core)  , one release , one architechture

quaterly release process

stand-alone modules and seperation of control and packet forwarding planes

NextGen data plane (alg for instance)

NextGen software is based on screen os
(junos smp kernel with embedded junos features)

firewall processing has been enhanced with best of netscreen and junos with a single lookup and also policy implementation

fw processing  also has DOS and ACL filter with special hardware

session-aware processing avoids policy-matching

SRX series : zones and policies (simplify management)

NEXTGEN NAT : zone based security policy which seperates nat from security policy and no need for loopback-grps or dummy static routes

security policies and NAT are independent

—————————————–

UNIFIED THREAT MANAGEMENT : UTM
——————————-

antivirus – kaspersky
webfiltering – websense / surfcontrol
content filtering
antispan – symantec

url whitelists can be used to bypass scanning of traffic from some sites

mime lists can be set up to bypass scanning of some traffic

webfiltering
———–

Integrated (surfcontrol) and redirect(websense)

a global whitelist/blacklist can be configred

redirect solution

Juniper networks-websense WF soultions
————————————–

Integrated webfiltering and location is in cloud

redirect webfilter is located in same network

ease-of-use is good for integrated webfiltering

latency is good for redirect web filtering

what to use depends on needs of requirement and latency issues

Content Filtering
—————–

control traffic based on MIME type , file extention , protocol commands

ANTISPAM
——–

ip address recognition based on symantec database provider (SPM RBL)

DYNAMIC VPN SERVICE — Access Manager Client
——————————————–

supported on srx100 , srx210 , srx240 not on srx650

layer 3 ipsec client that is automatically downloaded from a junos device
ssl fallback for tcp traversal

will replace NS-REMOTE which was on screen os and NS-REMOTE on srx

SRX FOR THE BRANCH OVERVIEW
—————————

srx100
srx210
srx240
srx650

srx series offers routing and security

all srx will have
——————

routing and switching
firewall and vpn
utm
ids and ips
uac – unified access control
voice services
power over ethernet 802.3at(30watt/port) versus 802.3af (15.4watt/port)

Antivirus

two av engines

full av kaspersky
express av – packet / content security accelarator

full av is high detection and express av is high performance

performance , coverage , memory utilsation

in express av the packet is sent as is and there is no huge av db
in full av the packet is reconstructed as is upto 20 mb and hence more cpu

When performance and memory utilization is a concern , use Express AV

when coverage rate is a concern use fULL av

————-

srx100(small)
——

8xfe , 1 usb , fw 175mbps , vpn 75 mbps , idp 50 mbps , no poe , no voi port , a/a or a/p conn (active , passive) , full utm features

srx210(small)
——

2xge+6 fe , 1 mini pim , 3g slot , usb 2 , voice ports optional 2xfxs 2xfxo or mini-pim , fw perf 250Mbps , vpn 85Mbps , idp 80Mbps , a/a , a/p
4 poe ports (50w total),full utm features

low mem 512mb ram / 1gb flash
high mem 1gb ram / 1 gb flash(comes with regex accelaration for av and idp)

srx240(small to medium)
——

16xge , mini pim 4 , 3g wireless , usb 2 , poe 16ports (150w) , optional 2xfxs , fw 500mbps , vpn 200mbps , idp 250 mbps , a/a a.p (smb) , full  utm

srx650(medium)
——

4xge , gpim 8 , usb 2 per processor,poe upto 48 ports (250w or 500w) , pstn voice ports 8 analog , 2 t1/e1 per gpim , fw 2.5gbps , vpn 1.5 gbps,idp 900mpbs , a/a or a.p or dual power , full utm

2 process module slots (sre services and routing enginer backup sre , application co processor engine ACE card)

uac l3 enforcement points

Mid-plane design and modular ,  8 gpim slots not hot-swap as of now

—————-

Wireless
——–

ax411 blend high perf 802.11n with srx

rapid setup and centralized monitoring of remote sites

integrated

802.11n client adapter choosing should be good

ax411 is 180mbps peak throughput

oversubscription rates 4:1 or 8:1

provisioning model
——————

ap request an ip address using DHCP

DHCP should be configured on SRX gateways

you cannot plug ap into first port of gig eth as it is dhcp client

zero config
———–

except first port of gig e all others are in default-vlan and are in trust zone

plug ap into any of the other ports its as simple as that

L2 Management Mode
——————-

in l2 mode all ports are conn to intf in switching mode

all aps belong to same l3 network

roaming is supported and tranparent to srx series

L3 Management Mode
——————

In l3 mode all ap ports are connected to intf in routing mode

each ap’s belong to diff l3 network

in this mode roaming is not supported

client isolation can be enforced

authentication
————–

local and radius mac

802.1x

wep , wpa , wpa2 with eap based protocols

at srx series gateways
———————-

fw auth with local redirect for local auth

utm,idp,uac,wan accl,ip sec

Junipers Networks 3G Networks
—————————–

Bridge or Integrated with SRX210 integrated 3G

deployment options

on-demand dialing
backup interface
prefix monitoring

rpm monitoring scripts cab be used for failover

Dialer interfaces
—————–

dialer intf are pseudo intfs

J-Series overview
—————–

juniper networks with avaya voip solution with cme configured at remote end

wxc ism200 application accelaration for j2320 , j2350 , j4350 , j6350

unmatched performance when services are turned on

j2320
—–

4ports ge , 3 pims , internal and external c-flash , optional encry card ,supports avaya ip telephony module

j2350
——

5 pim slots , 4 ge , nebs and dc pwr , optional encryp and supports avaya telephony module

j4350
——

4 ge ports , 4pims , 2 epims , supoprts avaya media gateway , dc version available, low mem ver 256mb flash or high end 1gb , optional encryp

j6350
——

4fixed ge lan ports , 2pim slots and 4 epim slots , supports avaya media gateway , dc version available , hardware encryp standard , 1gb dram max 2gb , nebs compliant

pims , enchance pim , universal pim

double the speed whn services when compared with CISCO ISR

30% lower than cisco isr products

Enterprise routing portifolio
—————————–

srx 240 – srx 650 with j-series in between

greenfield acounts – lead with srx series

screen os installed base – go ahead with ssg

existing junos cust – introude srx would be more sense

federal govrnt – then ssg series

managed services – srx

3g connectivity – srx

poe – srx series

wlan today – ssg

ipv6 security – ssg

anything between srx240 – srx650 is j-series

ssg products provides deep inspection are replaced with ips on srx

express av – hardware specific required

srx dosent support wan accel

Regards

Rakesh

Share on Facebook

Hello all  ! hope everyone is doing good ! there are somethings to share .. first of all iam with  various firms as a consultant and been doing some work in setting up their networks and the other way is iam working with a juniper systems elite partner ! .. juniper is not that hard or illogical per se and its good to have so many resources available in juniper site . iam a juniper certified sales associate for m/mx series router platforms now ! … does this mean iam off with ccie track ?

A big No .. i almost done with all sorts of my prep work and in final stages to launch the official labbing experience and scenarios .. i was not getting enough time to blog and keep you informed with my status updates !

ok … as iam done with most of my technologies .iam now going through INE extended blue print which is well written by Anthony Here is the link

http://blog.ine.com/2009/05/12/ccie-rs-4x-expanded-study-blueprint/

For next week i will be on Spanning tree from layer 2 and  GRE tunnel and keep alive mechanisms from Layer 3 . just was going through a cisco doc on gre tunnel keep alive mechanism and was surprised as how Ethernet keepalives work

i will try to do a packet capture and see if that is how it works out … but to make it a soft finish let me brief you about what i read.. A detailed keepalive notes would be posted , this is just a what i have read about ethernet keepalives

ETHERNET KEEPALIVES

Generally keepalives are designed if the path to any particular neighbor is reachable and valid .. but on Ethernets it works in a different and strange way as there are many neighbors in a ethernet segment … A keepalive in this case of ethernet is designed such that local system has a read and write access to the ethernet segment itself ..

The Process

The router which for that matter any router local to itself produces a ethernet packet with source and destination mac addresses as itself and special ethernet code of 0×9000 .. as the packet reaches ethernet hardware , it immediately sends and receives the same packet which should confirm the whole purpose of keepailve mechanism ..

This is amazing for me as of now i dint knew this and as i have known if now i will try to lab it up and see if i can catch the same packet

Regards

Rakesh

Share on Facebook

Been so many sleep less nights wondering what ip sla was until i configured it my self .

Ip sla is basically as one of the methods for enhanced object trackings .

Few names for IP sla

Ip sla -> service level agreeement

or

RTR -> response time reporter

or

SAA -> service assurance agent

Ip sla is used to track many things including DELAY , apps response time such as HTTP , DHCP , DNS , TCP and also reachability using ICMP ECHO

We will basically use it for FHRP (first hop redundancy tracking)

Here is the scenario with HSRP Enabled routers. i would use ip sla to track the interfaces and their status and if active goes down then standby should take over with the help of Ip sla . unlike interface tracking this is fun and powerful as i have added something spicy into the topology

here is what i have done

Initial Congiruation

R1

router eigrp 1

net 10.0.0.0

net 13.0.0.0

pass fa0/0

no auto

same conf on R2

r3

int l1

ip addr 1.1.1.1 255.255.255.0

router eigrp 1

net 13.0.0.0

net 23.0.0.0

net 1.0.0.0

no auto

R4 has a special configuration and will act like a host . so lets turn off routing for it

r4(conf)#no ip routing

r4(conf)#ip default-gateway 10.0.0.10 -> this would be hsrp Virtual Ip address .

int fa0/0

ip addr 10.0.0.4 255.255.255.0

—————

before enabling HSRP we should not be able to ping the V.ip lets verify it on R4

r4#ping 10.0.0.10
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:…..Success rate is 0 percent (0/5)

let us enable HSRP now on R1 and R2

r1(config)#int fa0/0

r1(config-if)#standby 1 ip 10.0.0.10

r1(config-if)#standby 1 preempt

r1(config-if)#exit

r1(config)#

*Mar  1 00:14:58.659: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active

r1(config)#

Share on Facebook

Brief topology and configuration of protocol

HSRP Configuration

int fa0/0

standby 1 ip 10.0.0.10

standby 1 preempt

Share on Facebook

Share on Facebook

The previous topology was concerned with establishing a E-BGP neighborings with two directly connected networks . Now lets turn our focus to the ones which are not directly connected but yet needs to be E-BGP peers

The following topology will be used by me

R2 ->R1 — 172.16.1.0/24

R1->R4 — 172.16.2.0/24

R4 :

router bgp 1

nei 172.16.1.2 remote-as 2

R4

router bgp 2

nei 172.16.2.2 remote-as 1

when we turn on debugging and wait for something to happen. Actually first we need see if we have network layer reachability to routers then we can worry about EBGP peerings . Hence i set up a static route and enable

DEBUG IP BGP IPV4 UNICAST

For EBgp relationships

Now if we are left with other configuration option such as Ttl-security lets see how things get worse from one end

even though the state changes from IDLE / ACTIVE -> OPEN SENT it never comes to established

The other router will always be in open confirm mode

Lets verify that

Because the other router is expecting a incoming ip packet value TTL should be atleast 253  or higher . so the solution is to configure R2 such that it sends TTL OF 255 so that by the time packet travels 2 hops its TTL would be 253 .

or the other option is to set ttl-security option to Router 2 also . But we would rather miss the fun Right

Ok lets do it on R2

Yaa can you see the multihop working now in accordance with TTL-SECURITY . Its bed Time . Meet you Tomorrow with some other fun stuff

Regards

Rakesh

Share on Facebook

This is a simple lab which demonstrates the requirements of bgp external peerings

we have got two routers on 172.16.1.0/24 subnet

R1->172.16.1.1 ,r2->172.16.1.2

R1

Router bgp 1

neighbor 172.16.1.2 remote-as 2

R2

Router bgp 2

neighbor 172.16.1.1 remote-as 1

lets see the routers BGP process and some debug messages

—————————————————————————————–

Share on Facebook