GRE Tunneling and Recursive Routing
When using a routing protocol over GRE tunnels you might end up learning the tunnel endpoint via the routing protocol. When the tunnel endpoint is preferred using the route learned from the routing protocol you end up with a flapping tunnel.
The router will detect this and generates a message:
%TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing
The easiest way to solve this is by using a static route to the tunnel endpoint.
If this is not allowed you can also use a prefix filter. This filter should block the advertisement of the tunnel endpoint prefix via the GRE tunnel. For example:
ip prefix-list FILTER_TUNNEL_ENDPOINT seq 5 deny 150.1.10.0/24
ip prefix-list FILTER_TUNNEL_ENDPOINT seq 10 permit 0.0.0.0/0 le 32
This will match the tunnel endpoint address (150.1.10.0/24), but allow the other prefixes.
Use this prefix-list to filter the outgoing advertisements on the tunnel interface.
router rip
distribute-list prefix FILTER_TUNNEL_ENDPOINT out Tunnel1
Local Policy Routing
To use policy routing for locally generated packets use the statement in global config:
ip local policy route-map <route-map>
Reliable Policy Routing
Reliable Policy Routing can be configured by using the "set ip next-hop verify-availability" statement in a route-map. There are two ways to verify the availability of the next-hop. One way is to use CDP. The other way is to use a tracked object (e.g. IP SLA).
Verify availability of next-hop using CDP:
route-map PBR_FROM_R3 permit 10
match ip address FROM_R3_TO_R4
set ip next-hop 155.1.0.5
set ip next-hop verify-availability
set ip default next-hop 155.1.146.4
Verify availability using a tracked object:
route-map PBR_FROM_R3 permit 20
match ip address FROM_R3_TO_R5
set ip next-hop verify-availability 155.1.146.4 1 track 1
set ip default next-hop 155.1.0.5
EIGRP Route Filtering with NX-OS
Overview So we all know how to filter EIGRP routes; right? create a prefix-list or access-list then apply that to the routing process. You can also do offset-lists, all that good stuff. This is...[[ Summary content only, you can read everything now, just visit the site for full story ]]
Policy Routing
Create one or more access-lists that specify what traffic should use policy routing.
ip access-list extended FROM_R4
permit ip host 155.1.146.4 any
ip access-list extended FROM_R6
permit ip host 155.1.146.6 any
Then create a route-map that will match the defined access-lists and specify an action.
route-map PBR permit 10
match ip address FROM_R4
set ip next-hop 155.1.13.3
route-map PBR permit 20
match ip address FROM_R6
set ip next-hop 155.1.0.5
route-map PBR permit 30
# will match any other traffic
Tie the route-map to an interface to enable policy routing.
interface FastEthernet0/0
ip policy route-map PBR
Usefull debug commands:
#debug ip policy
IP SLA & Enhanced object tracking
Create a SLA object to schedule a ping test
ip sla 1
icmp-echo <ip address>
frequency <in seconds>
ip sla schedule 1 life forever start-time now
Enable Enhanced Object tracking on the SLA
track 1 ip sla 1 reachability
Tie the tracked object to a static route
ip route 150.1.1.0 255.255.255.0 155.1.146.1 track 1
As soon as the ping test fails the static route will be removed from the routing table.
When there is another static route with a higher Administrative Distance this route will be injected into the routing table.
Once the ping test is successfull again the original static route will be injected again.
Usefull show commands:
#sh track 1
Track 1
IP SLA 1 reachability
Reachability is Up
3 changes, last change 00:21:42
Latest operation return code: OK
Latest RTT (millisecs) 1
Tracked by:
STATIC-IP-ROUTING 0
#sh ip sla statistics 1
IPSLAs Latest Operation Statistics
IPSLA operation id: 1
Type of operation: icmp-echo
Latest RTT: 1 milliseconds
Latest operation start time: *20:39:26.283 UTC Wed Jul 13 2011
Latest operation return code: OK
Number of successes: 417
Number of failures: 13
Operation time to live: Forever
Usefull debug commands:
#debug track
#debug ip routing
fun with bi-directional forwarding (BFD)
So I was tasked to provide a failover mechanism for a customer with Juniper equipment without using OSPF. With the L2 providers we use there is always a link from the CPE to the provider equipment and then it breaks … Continue reading
Juniper SRX Tips :: Altering Default-Deny Behavior
In our previous article, we looked at using apply-groups to alter all the security policies uniformly on an SRX device such that they would all have an implicit logging statement. And while this is fine for all existing policies, it doesn't log traffic which doesn't match any explicitly defined security policy.
The reason for this is due to the fact that in Junos, traffic which doesn't match an explicitly defined security policy matches against the default-deny policy. However, given the fact that the default-deny policy is implicitly defined, apply-group configurations are of little benefit as apply-groups can only be inherited by those elements which have been explicitly defined.
Often in these cases, administrators will simply choose to create their own deny policies with the desired options and place this deny policy as the last policy for traffic going from one zone to another. However, in instances where there are many zones, it might prove too cumbersome and time consuming to manually configure this to accommodate all zones.
Clearly it would be more beneficial to have something akin to the Global Zone in ScreenOS which can be used to match on all traffic which doesn't match against any of Continue reading
Juniper SRX Tips :: Uniform Security Policy Modification
Often there are instances where we want to affect all security policies configured on an SRX device. For example, let's say that we have thousands of policies configured on our firewall, and we want to enable logging for every single policy. Obviously this would take some time if we were to do this manually on each and every individual policy, so an easier way is desired.
In ScreenOS we have the concept of a Global zone which acts as a container encompassing all zones, but to date, Junos does not support a similar functionality on the SRX. Furthermore, the Global zone doesn't affect existing policies but rather is way to apply a consistent policy to all Inter-zone and Intra-zone traffic that doesn't match any of the existing policies.
However, despite all of this, there is in fact a methodology we can use to uniformly modify all of the existing security policies on our box, in a manner that is actually much more powerful than what is accomplished in ScreenOS with the Global zone.
Let's take a look. First, let's say we have some policies that we would like to enable logging on:
root@ce-1# show security policies
Continue reading
A Primer on IP/IPv6 Mobility
At the end of my Senior Design sequence, a professor asked if I had time to look into IPv6 Mobility. At the time, I had to tell him no, since it was considered to be out of scope for the project. It’s a shame really - the concept of IP Mobility in general is extremely fascinating. I’d like to point out that IP Mobility is well-documented technology - and I’d rather not spend a lot of time explaining it, since I’m sure there are articles out there that do a much better job.A Primer on IP/IPv6 Mobility
At the end of my Senior Design sequence, a professor asked if I had time to look into IPv6 Mobility. At the time, I had to tell him no, since it was considered to be out of scope for the project. It’s a shame really - the concept of IP Mobility in general is extremely fascinating. I’d like to point out that IP Mobility is well-documented technology - and I’d rather not spend a lot of time explaining it, since I’m sure there are articles out there that do a much better job.ACLs Supported on 3560&3750 Switches– Part II (VLAN Maps)
On 3560 and 3750 series switches, there are several ACL types that can be used, each with its own features and restrictions. This post represents the second part covering VLAN maps.
What Does The Cloud Mean To Your Network?
If you're an IT professional you've probably been hearing a lot about cloud computing lately. I know I've sat through a number of seminars and sales pitches where people have been touting public cloud services on the merits of lower cost, reducing infrastructure and quicker implementation of services. However, I've noticed that almost none of these presentations discuss the increased reliance on Internet connectivity. With all the focus on the benefits of cloud computing, it's easy to forget that there has to be a trade-off. In order to offer reliable, quality access to public cloud services, your Internet connectivity likely needs some tuning.
ACLs Supported on 3560 & 3750 Switches – Part I (Port ACL & Router ACL)
On 3560 and 3750 series switches, there are several ACL types that can be used, each with its own features and restrictions. This post represents the first part covering Port ACLs and Router ACLs.
JNCIE Tips from the Field :: Summarization Made Easy
Today we'll start with a series of articles covering tips and techniques that might be utilized by JNCIE candidates, whether pursuing the JNCIE-SP, JNCIE-ENT, or even the JNCIE-SEC. The tips and techniques I will be covering might prove to be useful during a lab attempt but could also be used in real-world scenarios to save time and minimize configuration burden in addition to eliminating mistakes that might otherwise be made. I want everyone to understand that what I am about to write is simply a technique. I am not divulging any materials or topics which are covered under NDA.
NOTE: For full disclosure, I must reveal that I am an employee of Juniper Networks in their Education Services department. As such, I take the responsibility of protecting the content and integrity of the exam as well as the certification credentials very seriously. I would never reveal anything which would allow a candidate to have in-depth knowledge of any specific topics or questions that may appear on the exam. Not only that, I worked REALLY, REALLY hard to achieve my JNCIE certifications, and I believe everyone else should too! It's certainly more rewarding that way too don't you think?!
Juniper as-path-expand with bgp communities
With working in an ISP enviroment I always find myself trying to automate or create process for others to follow so I don’t have to do the work ;-) I recently started to look at BGP communities and to see … Continue reading
Day One Guide: Junos Tips, Techniques, and Templates 2011
I am happy to announce that Juniper has just released a new Day One Guide entitled "Junos Tips, Techniques, and Templates 2011". For this particular Day One Guide, Juniper Networks Books and J-Net joined forces and requested the best and brightest Junos tips and techniques from the Junos user community. In fact, the book was created after a thorough selection process which included reviewing over 300 submitted tips by over 100 individuals on the J-Net community boards at forums.juniper.net.
I am honored that Juniper accepted my contributions and decided to include them in this guide. My contribution "Automatically Allow Configured BGP Peers in a Loopback Firewall Filter" covers how to configure a Junos prefix-list in conjunction with the apply-path features to parse a configuration and then dynamically build a list of matching prefixes for use in a firewall filter.
Outside of my meager contribution, this guide is chock full of dozens of useful tips and techniques and is an indispensable guide for anyone involved in managing Juniper platforms on a daily basis.
Junos Tips, Techniques, and Templates 2011 can be ordered on Amazon in hardcopy or Kindle edition, and is also available as a free download in PDF format. Enjoy!
Securely Wipe Your Hard Drive the Quick and Dirty Way
We’ve all heard about tools like Darik’s Boot and Nuke for performing secure hard drive wipes suitable for even the most paranoid. However, in a pinch, there’s an alternative that often goes overlooked, but is able to erase data at a level comparable to all the usual standards like DoD (or even the incredibly obnoxious 35-pass Guttmann method) The ‘shred’ utility exists on nearly every popular Linux live CD/DVD and can be executed in a live environment to do the job when it’s all you have.Securely Wipe Your Hard Drive the Quick and Dirty Way
We’ve all heard about tools like Darik’s Boot and Nuke for performing secure hard drive wipes suitable for even the most paranoid. However, in a pinch, there’s an alternative that often goes overlooked, but is able to erase data at a level comparable to all the usual standards like DoD (or even the incredibly obnoxious 35-pass Guttmann method) The ‘shred’ utility exists on nearly every popular Linux live CD/DVD and can be executed in a live environment to do the job when it’s all you have.Network 2.0: Virtualization without Limits
So the theme of the day is Network Virtualization, Software defined networks and taking virtualization to its logical conclusion i.e. server, storage and network in a giant resource pool that can be allocated/assigned any which way. Although its easier said then done. Server and Storage virtualization were a bit simpler since we were dealing with one OS that needed to provide the right abstraction layer. The H/W resource pool (disk, cpu, network, memory, etc) was managed by the single OS so provisioning it between various virtual machines or storage pool was a bit simpler. The network by definition is useful only when multiple devices are connected and trying to treat them as a single resource pool is harder. A virtual networks has to deal with not just links, bandwidth, latency and queues but also
higher level functionality like routing, load balancing, firewalling, DNS, DHCP, VPN, etc. etc. And we haven’t even talked about how this all will hook up together along with virtual machines and virtual storage pool in a easy manner. Now before you argue that every component is already virtualized (which is very true), one could argue that it still doesn’t give me a virtual network. It Continue reading