Monthly Archives: June 2014

Voucher gratuito Brocade Certified vRouter Engineer (BCVRE) 170-010 Exam

Como Brocade Certified vRouter Engineer deve ser capaz de demonstrar conhecimento em ser capaz de implementar, instalar, configurar e solucionar problemas de soluções Brocade Vyatta.

Este exame é baseado em Vyatta vRouter, a Brocade disponibiliza para download um trial de 60 dias do Vyatta vRouter 5400.

Algumas das funcionalidades do vRouter 5400:

  • Advanced IPv4 and IPv6 Unicast and Multicast
  • Stateful firewall, IPsec, SSL-Based OpenVPN and DMVPN
  • Linux-based extensible network OS
  • Hypervisors Supported: VMware ESX, Citrix XEN/XENserver, Microsoft Hyper-V, and RedHat KVM
  • RESTful API, CLI, Web GUI

Quem quiser fazer este exame a custo zero deverá usar o Voucher Code  BrocadeNFVPromo e registar-se no site http://www.pearsonvue.com/brocade/. Este exame tem duração 75 minutos e 51 questões no total, sendo necessário no mínimo 62% para passar.

Boa sorte :)

Tópicos para o exame:

Brocade Vyatta vRouter System Operations

  • Describe show command usage and output
  • Identify key CLI operations
  • Describe the commit and save processes

Ethernet Concepts

  • Identify Ethernet operations
  • Identify VLAN operations and settings
  • Identify bonded interface operations
  • Demonstrate knowledge of configuration and operation using show commands

TCP/IP

  • Demonstrate knowledge of the relationship between Layer 2, IP and TCP/IP
  • Identify TCP and UDP differences
  • Identify IP address subnets

DHCP and DNS Troubleshooting

  • Describe troubleshooting of DHCP operations
  • Describe troubleshooting of DNS forwarding

Routing

  • Identify uses for routing
  • Identify show commands for use with routing
  • Identify configuration of different types of static routes

Firewalls

  • Describe firewall operations and troubleshooting using show commands
  • Describe firewall rulebase operations

NAT

  • Describe NAT concepts

Upgrades

  • Describe the Brocade Vyatta upgrade process

Logging and Packet Captures

  • Identify logging options for firewall and NAT operations
  • Identify methods to verify operations and troubleshooting

OSPF Single-Area

  • Describe OSPF show command output
  • Describe how to configure OSPF

 

Materiais de Estudo:

ETH 101 Internetworking Fundamentals for Brocade Training

Brocade IP Primer

 

Pré-requisitos

Não existem mas são sugeridos os seguintes cursos Free (Web-Based Training):

SDN 111-WBT – Brocade Vyatta vRouter Software Installation

SDN 121-WBT – Brocade Vyatta vRouter Command Line Interface

SDN 132-WBT – Brocade Vyatta vRouter Dynamic Addressing and DNS

SDN 133-WBT – Brocade Vyatta vRouter Dynamic Host Configuration Protocol

SDN 211-WBT – Brocade Vyatta vRouter Ethernet and VLAN Configuration

SDN 321-WBT – Brocade Vyatta vRouter Static Routes

SDN 341-WBT – Brocade Vyatta vRouter OSPF Basics

SDN 411-WBT – Brocade Vyatta vRouter Network Address Translation

SDN 421-WBT – Brocade Vyatta vRouter Firewall Basics

SDN 511-WBT – Brocade Vyatta vRouter Management and Logging
BCVRE_logo Referências:

Brocade Certified vRouter Engineer 2013 (BCVRE) Exam

Network Functions Virtualization

Certification Brocade Community

Certification Exam Information

World IPv6 Launch 2 years later

Depois do lançamento mundial com diversos players importantes no mercado, a adoção já não é um mito e o crescimento exponencial fala por si.

 

WorldIPv6Launchiversary-2014

Referências:

Infographic IPv6 Launch 2014

World IPv6 Launchiversary in 2013

World IPv6 Launch in 2012

One Year After World IPv6 Launch, Number of IPv6-Connected Internet Users Doubles

World IPv6 Launch Unites Industry Leaders to Redefine the Global Internet

World IPv6 Launch Solidifies Global Support for New Internet Protocol

Dia mundial do IPv6

Check Point Order of Operations

Após alguma pesquisa a Check Point não é muito clara neste tema nas plataformas mais recentes. Este “Order of Operations” aplica-se ao FireWall-1 , e eventualmente ás novas plataformas.

Ligações estabelecidas são permitidas desde que estejam listados nas tabelas de estado e são aceites NATED conforme necessário. Para novas conexões, o FireWall-1 segue esta ordem de operações:

  • Inbound anti-spoof check (verifies that the source IP is included in the interface’s Topology setting)
  • Inbound check against the rulebase (includes properties)
  • NAT, if appropriate properties are enabled (see Chapter 10)
  • Outbound check against the rulebase (includes properties)
  • NAT, if appropriate properties are not enabled (see Chapter 10)

A base de regra é aplicada nas direções especificadas nas regras pelo “Install On field“. Na maior parte dos casos, isso significa que ambos entram e saem da gateway. No entanto, se uma regra especifica Src (saída) ou Dst (entrada), a regra aplica-se apenas nessa direção. Uma vez que um pacote coincide com uma regra, ele executa a ação listada no “Action field“,  não processando mais nenhuma regra. Para conexões autenticadas não passando por Security Servers, as regras e propriedades são processadas na seguinte ordem:

  • Rulebase properties listed as First are processed. Matches are accepted and not logged.
  • Rules 1 through n+1 (assuming n rules) are processed and logged according to their individual settings.
  • Rulebase properties listed as Before Last are then processed. Matches are accepted and not logged.
  • Rule n is processed and logged according to its setting.
  • Rulebase properties listed as Last are then processed. Matches are accepted and not logged.
  • The Implicit Drop rule is matched (no logging occurs).

Referências:

Check Point Firewall

Notas estudo JNCIA-Junos parte 5

Routing Policy

(Routes/Protocols) Import Policies —–> Routing table —–> Export Policies (Routes/Protocols)
|
|
|
v
Forwarding

 

Protocol
Import Policy Export Policy
BGP                         Aceita/importa todas as rotas BGP para inet.0 Aceita todas as rotas BGP activas
OSPF  Aceita/importa todas as rotas OSPF para inet.0 Rejeita tudo (protocol floods by default)
IS-IS Aceita/importa todas as rotas IS-IS para inet.0 Rejeita tudo (protocol floods by default)
RIP Aceita todas as rotas do neighbors explicitamente confgiurados e importa para inet.0 Rejeita tudo

Não é possível no OSPF através de uma policy parar o advertisement de LSAs, ou mesmo filtrar as rotas internas (incluindo inter-area) da tabela de routing. Mas é possível filtrar  rotas externas.
Apesar de “rejeita tudo” na Export Policy o router continua a enviar LSAs, a policy não permite o envio de rotas adicionais com origem em outras sources.

Permite config import/export policys ao nível do protocolo ou neighbor

As routing policys contem um conjuntos de terms, estes são analisados sequencialmente. Quando e feito o match (from) são executadas as instruções em “then” e a policy termina de ser analisada com a “terminating action” não analisando o seguinte “term“.

As Control Actions  para aceitar/rejeitar rotas são:accept/reject ambas são “terminating actions”

Ẽ possível usar o comando insert para alterar a ordem de um “term

insert policy-options policy-statement OUT-RIP term ospf-to-rip-1 {after|before} term ospf-to-rip

policy-options {
policy-statement OUT-RIP {
term ospf-to-rip-1 {
from protocol ospf;
then accept;
}
term ospf-to-rip {
from protocol ospf;
then accept;
}
}

Caso seja omitido o “from” da policy  ẽ aplicado a todas as rotas a action do respectivo “then” subsequente

prefix-list – faz o match exacto do prefix
prefix-list-filter – permite match de types e actions. Match types: exact, longer,orlonger

No polic2 após match ẽ executada a ação (opcionalmente se configurada, não sendo usado o “then“)

policy-options {
prefix-list filter-rfc1918 {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/24;
}

policy-statement polic {
from {
prefix-list filter-rfc1918;
}
then reject;
}
policy-statement polic2 {
from {
prefix-list-filter filter-rfc1918 longer reject;
}
}
}

Router Filters

Os route filters não são passiveis de reutilizar ao contrario dos prefix-list, estes permitem uma maior granularidade por prefix

Match Type:

exact
from route-filter 192.168.1.0/24

longer
from route-filter 192.168.1.0/24 longer

orlonger
from route-filter 192.168.1.0/24 orlonger

upto
from route-filter 192.168.1.0/24 upto /29

prefix-length-range
from route-filter 192.168.1.0/24 prefix-length-range /27-/30

Common Actions

O accept e reject são considerados “terminating actions” porque permitem a paragem do evaluate da policy

Os “nonterminating” default-action accept e default-action reject não causam a paragem do evaluate da policy, mas prevalecem sob a default policy accept/reject

Outros termos comuns são o “next term” e “next policy“, designados de Flow-control

Firewall Filters

Os filtros são stateless, não guardam os estado das ligações

Discard explicito by default

Common Actions

Terminating actions: accept,discard,reject
Flow control: next term
Action modifiers:
count.log e syslog – hits
forwarding-class e loss-priority – especificar Class of service (CoS)
policer – policiamento

O next term ẽ útil caso seja necessário definir um policer ou valor DiffServ code point (DSCP), não existe a ação “next filter
Caso seja especificado uma action modifier, está implícito a action accept

interfaces {
em5 {
vlan-tagging;
unit 121 {
vlan-id 121;
family inet {
filter {
input IN;
output OUT;
}
address 10.10.121.4/24;
}
}

}
}

firewall {
family inet {
filter IN {
term ACCEPT_ALL {
then {
log;
accept;
}
}
}
filter OUT {
term ACCEPT_ALL {
from {
icmp-type echo-reply;
}
then accept;
}
term ACCEPT_ALL_ {
from {
icmp-type echo-request;
}
then {
log;
discard;
}
}
term ACCEPT_ALL_2 {
then accept;
}
}
}
}

Filtering Local

Os filtros influenciam o tráfego do Control plane, portanto cuidado!

Policing

Os firewall filters permitem policing ou rate-limit. Se o primeiro termo não tiver a clausula “from” todos os pacotes da interface (input output) são alvo de policing

Ẽ possível aplicar policers diretamente nas interfaces

O policing usa o algoritmo token bucket, que faz o enforcing de um limite na average bandwidth enquanto permite burst atẽ um valor máximo especificado
São configurados 2 rate-limits, bandwidth/maximum burst size

The preferred method for determining the maximum burst size is to multiply the speed of the interface by the amount of time
bursts that you want to allow at that bandwidth level. For example, to allow bursts on a Fast Ethernet link for 5 milliseconds  (a reasonable value), use the following calculation:
burst size = bandwidth (100,000,000 bits per sec) x allowable burst time (5/1000s)

This calculation yields a burst size of 500,000 bits. You can divide this number by 8 to convert it to bytes, which gives you a
burst size of 62500 bytes.

bandwidth-limit bandwidth-in-bits
burst-size-limit burst-in-bytes

Quando ẽ feito o evaluate da police, caso não exceda e executada a ação “then” do firewall filter. Caso exceda é executada a ação da police

set firewall family inet filter rate-limit-subnet term match-subnet from source-address 192.100.1.0/24
set firewall family inet filter rate-limit-subnet term match-subnet then policer p1
set firewall family inet filter rate-limit-subnet term else-accept then accept
set firewall policer p1 if-exceeding bandwidth-limit 100k
set firewall policer p1 if-exceeding burst-size-limit 20k
set firewall policer p1 then discard

firewall {
family inet {
filter rate-limit-subnet {
term match-subnet {
from {
source-address {
192.100.1.0/24;
}
}
then policer p1;
}
term else-accept {
then accept;
}
}
}
policer p1 {
if-exceeding {
bandwidth-limit 100k;
burst-size-limit 20k;
}
then discard;
}
}

show firewall counter filter filter-name counter-name

show firewall log

clear firewall filter filter-name

A filter name or a blank space appears if the RE handles the packet. Otherwise, a dash ( – ) or  pfe  appears instead of the filter name to indicate
that the packet was handled by the PFE. The contents  in the firewall log clear when the system reboots.

Automated Antispoofing Filters

Reverse Path-Forwarding

Ẽ possível combinar RPF checks a firewall filters na mesma interface. Activando esta feature o PFE aumenta o consumo de memoria

Strict vs Loose modes

by default usa strict

By default o JunOS verifica apenas active path para o prefix, causando drops quando existem multiplos paths (asymmetric  routing). Ẽ possível permitir múltiplos usando set routing-optinos forwarding-table unicast-reverse-path feasible-paths

Fail Filters

By default o RPF faz discard ao tráfego que falha o RPF check, de qualquer forma pode ser especificado um fail filter opcional. Neste filter ẽ possível definir todas as ações e incluindo aceitar o tráfego embora falhe o RPF check. (Para ver o log destes pacotes (RPF check failed) ẽ necessário configurar o log no fail filter)

set interfaces em0 unit 0 family inet rpf-check fail-filter rpf-dhcp
set interfaces em0 unit 0 family inet address 10.1.12.1/24
set interfaces lo0 unit 0 family inet address 10.2.2.2/32
set firewall family inet filter rpf-dhcp term dhcp from source-address 0.0.0.0/32
set firewall family inet filter rpf-dhcp term dhcp from destination-address 255.255.255.255/32
set firewall family inet filter rpf-dhcp term dhcp then accept

 

Referências:

Notas estudo JNCIA-Junos parte 1

Notas estudo JNCIA-Junos parte 2

Notas estudo JNCIA-Junos parte 3

Notas estudo JNCIA-Junos parte 4

Notas estudo JNCIA-Junos parte 4

A tool primária de monitorização da plataforma é o CLI que inclui os comandos show e monitor. As secundarias são o J-Web , SNMP, hardware LEDS/LCDs

show system
alarms : This argument displays current system alarms;
boot-messages : This argument displays the messag es seen during the last system boot;
connections : This argument displays the status of local TCP and UDP connections;
statistics: This argument provides options for viewing various protocol statistics;
storage: This argument displays the status  of the file system storage space.

show chassis
alarms : This argument displays current chassis alarms;
environment : This argument displays component  and environmental status as well as the operational speeds of the cooling system;
hardware : This argument displays an inventory  of the installed hardware components along with the serial number of each component; and
routing-engine: This argument provides operational status and utilization details for the Routing Engine (RE).

Captura de tráfego

Capturar tráfego para ficheiro (hidden command)
monitor traffic write-file captura

Capturar em real-time especificando uma interface

[email protected]# run monitor traffic interface em5 no-resolve ?
Possible completions:
<[Enter]>            Execute this command
absolute-sequence    Display absolute TCP sequence numbers
brief                Display brief output
count                Number of packets to receive (0..1000000 packets)
detail               Display detailed output
extensive            Display extensive output
layer2-headers       Display link-level header on each dump line
matching             Expression for headers of receive packets to match
no-domain-names      Don’t display domain portion of hostnames
no-promiscuous       Don’t put interface into promiscuous mode
no-timestamp         Don’t print timestamp on each dump line
print-ascii          Display packets in ASCII when displaying in hexadecimal format
print-hex            Display packets in hexadecimal format
resolve-timeout      Period of time to wait for each name resolution (seconds)
size                 Amount of each packet to receive (bytes)
|                    Pipe through a command

[email protected]# run monitor traffic interface em5 no-resolve detail
Address resolution is OFF.
Listening on em5, capture size 1514 bytes

18:00:02.101361  In IP6 (hlim 1, next-header: UDP (17), length: 107) fe80::6101:1a73:bc24:3daf.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit(C cliaddr=8:2:189d:1:e:1:1:188a relayaddr=2145:d4be:d963:d2be:3:c:5300:5056)
18:00:02.983638 Out IP (tos 0xc0, ttl   1, id 12712, offset 0, flags [none], proto: OSPF (89), length: 64) 172.20.101.1 > 224.0.0.5: OSPFv2, Hello, length 44
Router-ID 9.9.9.9, Backbone Area, Authentication Type: none (0)
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 128
Designated Router 172.20.101.1
18:00:02.985453 Out IP (tos 0xc0, ttl   1, id 12713, offset 0, flags [none], proto: OSPF (89), length: 64) 172.20.110.1 > 224.0.0.5: OSPFv2, Hello, length 44
Router-ID 9.9.9.9, Backbone Area, Authentication Type: none (0)
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 128
Designated Router 172.20.110.1
^C
3 packets received by filter
0 packets dropped by kernel

Unified In-Service Software Upgrade (ISSU)

Permite upgrade sem disrupção no control plane, apenas e suportado com 2 Routing Engines. O Graceful Routing Engine Switchover (GRES) e NonStop Active Routing (NSR) devem estar activos. Nem todas as plataformas suportam o NSR, durante a mudança de versão não podem ser feitas operações online/offline ás PICs

Passos para efetuar um Unified ISSU:

1. activar o GRES e NSR e verificar a sincronização dos protocolos
2. efetuar no RE master request system software in-service-upgrade

Password Recovery

Durante o processo de reboot pressionar o Space

loader> boot -s (para boot em single user, similar em linux)

Ao iniciar o sistema vai perguntar pelo recovery script, apenas é necessário digitar recovery, sendo que o sistema vai iniciar permitindo fazer login sem password
Após alterada a password, sair com ‘exit‘ para fazer reboot automaticamente

Remover/Copiar Ficheiros

[email protected]# run file ?
Possible completions:
<[Enter]>            Execute this command
archive              Archives files from the system
checksum             Calculate file checksum
compare              Compare files
copy                 Copy files (local or remote)
delete               Delete files from the system
list                 List file information
rename               Rename files
show                 Show file contents
source-address       Local address to use in originating the connection
|                    Pipe through a command

[email protected]# run file show /config/?
Possible completions:
<[Enter]>            Execute this command
<filename>           Filename to show
/config/juniper.conf.1.gz  Size: 458, Last changed: May 24 19:58:53
/config/juniper.conf.2.gz  Size: 454, Last changed: May 23 21:17:12
/config/juniper.conf.3.gz  Size: 450, Last changed: May 23 15:03:46
/config/juniper.conf.gz  Size: 452, Last changed: May 24 20:00:08
/config/juniper.conf.md5  Size: 32, Last changed: May 22 23:45:51
/config/rescue.conf.gz  Size: 454, Last changed: May 24 19:57:27

Uso de Grupos

Definir um grupo
Nota: Este grupo irá surtir efeito apenas em interfaces em*

set groups CONFIG_IF_EM interfaces <em*> description “By group”
set groups CONFIG_IF_EM interfaces <em*> vlan-tagging
set groups CONFIG_IF_EM interfaces <em*> speed 10m
set groups CONFIG_IF_EM interfaces <em*> link-mode half-duplex
set groups CONFIG_IF_EM interfaces <em*> unit 0 vlan-id 1
set groups CONFIG_IF_EM interfaces <em*> unit 0 family inet
set groups CONFIG_IF_EM interfaces <em*> unit 0 family inet6

[email protected]# set interfaces em4 apply-groups CONFIG_IF_EM;

[email protected]# show interfaces em4 | display inheritance | except #
description “By group”;
vlan-tagging;
speed 10m;
link-mode half-duplex;
unit 0 {
vlan-id 1;
family inet;
family inet6;
}

[edit]

[email protected]# show interfaces em4 | display inheritance
##
## ‘By group’ was inherited from group ‘CONFIG_IF_EM’
##
description “By group”;
##
## ‘vlan-tagging’ was inherited from group ‘CONFIG_IF_EM’
##
vlan-tagging;
##
## ’10m’ was inherited from group ‘CONFIG_IF_EM’
##
speed 10m;
##
## ‘half-duplex’ was inherited from group ‘CONFIG_IF_EM’
##
link-mode half-duplex;
##
## ‘0’ was inherited from group ‘CONFIG_IF_EM’
##
unit 0 {
##
## ‘1’ was inherited from group ‘CONFIG_IF_EM’
##
vlan-id 1;
##
## ‘inet’ was inherited from group ‘CONFIG_IF_EM’
##
family inet;
##
## ‘inet6’ was inherited from group ‘CONFIG_IF_EM’
##
family inet6;
}

[edit]

[email protected]# show interfaces ae0
apply-groups CONFIG_IF_EM;
vlan-tagging;
aggregated-ether-options {
lacp {
active;
}
}

[edit]
[email protected]# show interfaces ae0 | display inheritance
vlan-tagging;
aggregated-ether-options {
lacp {
active;
}
}

[edit]

Routing

Routing preference values can range from 0 to 4,294,967,295.

* – indica a rota activa

holddown – estão no estado pendente antes de o sistema as declarar como inativas
hidden – o sistema não pode usar por questões de invalid next-hop e/ou route policy

show route forwarding-table

Algumas das rotas são permanentes devido a sua natureza como e o caso da default (Type perm), esta entrada e usada para o router descartar tráfego quando não existe roteamento para determinado destino, após descarte envia um ICMP unreachable ao host de origem

Caso exista um default route na tabela, o router utiliza-a em vez da Type perm

Route types:

cloned (clon) – (TCP or multicast only) Cloned route.
destination (dest) – Remote addresses directly reachable through an interface.
destination down (iddn) – Destination route for which the interface is unreachable.
interface cloned (ifcl) – Cloned route for which the interface is unreachable.
route down (ifdn) – Interface route for which the interface is unreachable.
ignore (ignr) – Ignore this route.
interface (intf) – Installed as a result of configuring an interface.
permanent (perm) – Routes installed by the kernel when the routing table is initialized.
user – Routes installed by the routing protocol process or as a result of the configuration.

Next-hop Types:

broadcast (bcst) – Broadcast.
deny – Deny.
hold – Next hop is waiting to be resolved into a unicast or multicast type.
indexed (idxd) – Indexed next hop.
indirect (indr) – Indirect next hop.
local (locl) – Local address on an interface.
routed multicast (mcrt) – Regular multicast next hop
multicast (mcst) – Wire multicast next hop (limited to the LAN).
multicast discard (mdsc) – Multicast discard.
multicast group (mgrp)  – Multicast group member.
receive (recv) – Receive.
reject (rjct) – Discard. An ICMP unreachable message was sent.
resolve (rslv) – Resolving the next hop.
unicast (ucst) – Unicast.
unilist (ulst) – List of unicast next hops. A packet sent to this next hop goes to any next hop in the list.

By default o JunOS cria a master instance e outras private instances. Estas private instances são para uso interno (comunicações entre componentes de hardware) do JunOS.

[email protected]> show route instance
Instance             Type
Primary RIB                                     Active/holddown/hidden
__juniper_private1__ forwarding
__juniper_private1__.inet.0                     0/0/1
__juniper_private1__.inet6.0                    1/0/0

__juniper_private2__ forwarding
__juniper_private2__.inet.0                     0/0/1

__master.anon__      forwarding

master               forwarding
inet.0                                          8/0/0
inet6.0                                         1/0/0

Instances Types

forwarding: Used to implement filter-based forwarding for common Access Layer applications;
l2vpn: Used in Layer 2 VPN implementations;
no-forwarding :  Used to separate large networks into smaller administrative entities;
virtual-router: Used for non-VPN-related applications such as system virtualization; “VRF-lite”
vpls:  Used for point-to-multipoint LAN implementations between a set of sites in a VPN;
vrf :  Used in Layer 3 VPN implementations.

[email protected]# set routing-instances <instance-name> instance-type <instance-type>

[email protected]>show route table new-instance.inet.0
[email protected]>show interfaces terse routing-instance new-instance
[email protected]>traceroute 2.2.2.2 routing-instance new-instance

Static Routing

O next-hop pode ser a opção de bit bucket, as opcoes de discard/reject permite descartar o trafego:

  • discard faz drop silenciosamente (nao envia ICMP)
  • reject envia ICMP unreachable

Config static routing

set routing-options
static{
route 0.0.0.0/0 next-hop 172.30.25.1;
route 172.28.102.0/24 {
next-hop 10.210.11.190;
no-readdvertise;
}
}

O nexr-hop deve estar diretamente ligado, porque by default o JunOS não faz lookups recursivos. Para possibilitar a recursividade usar o comando resolve

set routing-options static route 0.0.0.0/0 next-hop 172.30.25.1;
set routing-options static route 172.28.102.0/24 next-hop 10.210.11.190 resolve

Qualified Next hops

Permite indicar a preferência de uma rota (floating route)

qualified-next-hop x.x.x.x {
preference 7;
}

Referências:

Notas estudo JNCIA-Junos parte 1

Notas estudo JNCIA-Junos parte 2

Notas estudo JNCIA-Junos parte 3