Tag Archives: Ntp

Notas estudo JNCIA-Junos parte 3

Interface Overview

fxp0 e me0 para management

fxp1 e em0 para a internal (interligação entre o Control e Forwarding Plane)

Interface Naming

es: Encryption interface;
gr: Generic route encapsulation tunnel interface;
ip: IP-over-IP encapsulat ion tunnel interface;
ls: Link services interface;
ml: Multilink interface;
mo: Passive monitoring interface;
mt: Multicast tunnel interface;
sp: Adaptive services interface;
vt: Virtual loopback tunnel interface.
lo0 : Loopback interface;
ae: Aggregated Ethernet interface;
as : Aggregated SONET interface;
vlan : VLAN interface

Algumas das interfaces internas criadas (não configuráveis)pelo JunOS:
• gre
• mtun
• ipip
• tap

FPC – Flexible PIC Concentrator
Line card (FPC) slot number
Interface card (PIC) slot number
Nota: A numberacao dos slots/portas comeca em 0
ge-0/2/3 = porta 3 na PIC slot 2 na PFC slot 0

Logical Units

Consideradas como subinterfaces, podem ter mais do que uma family pexemplo inet e inet6

Configurar Autenticação

Suporta Radius e Tacacs+

Definir uma class com privilégios

Existem 4 class por defeito operator,read-only,super-user e unauthorized
Um user só pode ser atribuído a uma class

set system login class juniper permissions reset permissions view permissions view-configuration
set system login user walter class juniper

Nota: A permissão de reset permite reiniciar processos, mas não fazer reboot pexemplo

[email protected]> show configuration
## Last commit: 2014-05-25 17:11:18 WEST by root
version /* ACCESS-DENIED */;
/* nao mudem o NTP */
system { /* ACCESS-DENIED */ };
/* n mudem interface */
interfaces { /* ACCESS-DENIED */ };
protocols { /* ACCESS-DENIED */ };

Definição do Radius Server

[email protected]#  set system radius-server 10.10.10.10  secret  Juniper
[edit]
[email protected]#  set system authentication-order radius tacplus+
[edit]
[email protected]#  commit

Pelo menos um dos métodos de authentication-order deve responder (alive), caso contrário é feita autenticação local

R1 (ttyp0)

login: nancy
Password:
Local password:

Logging

By default o ficheiro de logging primário e /var/messages

O syslog pode ser definido através dos comandos:

edit system syslog
edit routing-options options syslog

set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog file config-changes change-log info
set system syslog host 10.1.1.1 any notice
set system syslog host 10.1.1.1 authorization info

Interpretar as mensagens do syslog

Timestamp, Host , Process ou PID , message code, message text

May 26 14:27:17  R1 mgd[1366]: UI_COMMIT_PROGRESS: Commit operation in progress:  notifying eventd(80)
commit complete

Para incluir a Severity é necessário configurar o comando explicit-priority
set system syslog file messages explicit-priority

May 26 14:38:13  R1 mgd[1366]: %INTERACT-6-UI_COMMIT_PROGRESS: Commit operation in progress: notifying daemons of new configuration

É possível obter ajuda na interpretação de uma mensagem de log através da própria CLI

[email protected]# help syslog UI_COMMIT_PROGRESS
Name:          UI_COMMIT_PROGRESS
Message:       Commit operation in progress:
Help:          mgd recorded step in commit operation
Description:   As it performed a commit operation, the management process (mgd)
recorded its execution of the indicated step.
Type:          Event: This message reports an event, not an error
Severity:      info

Traceoptions

*Equivalente ao Debug em Cisco*

O JunOS permite enviar o tracing para ficheiro/syslog

Para redefinir um syslog server diferente usar:

set system tracing destination-override syslog host 10.1.1.2

Exemplo Tracing Hello OSPF

O size pode ser representado por K,M,G indicando (KB, MB e GB)
Cao o trace exceda o size, o ficheiro é divido no numero de ficheiros indicados começando em trace-file.0 trace-file.1 …

set protocols ospf traceoptions file ospf-trace
set protocols ospf traceoptions file size 128m
set protocols ospf traceoptions file files 10
set protocols ospf traceoptions file world-readable
set protocols ospf traceoptions flag hello detail
set protocols ospf traceoptions flag error detail
set protocols ospf traceoptions flag event detail

[email protected]# run file show /var/log/ospf-trace
May 26 14:52:47 trace_on: Tracing to “/var/log/ospf-trace” started
May 26 14:52:47.821578 Interface em5.101 area 0.0.0.0 event NeighborChange
May 26 14:52:47.835103 IFL em5.32767 iflchange 0x0
May 26 14:52:47.836167 IFL em5.110 iflchange 0x0
May 26 14:52:47.836334 IFL em5.102 iflchange 0x0
May 26 14:52:47.836498 IFL em5.101 iflchange 0x0
May 26 14:52:47.836643 IFL em5.0 iflchange 0x0
May 26 14:52:47.836793 IFL lo0.16385 iflchange 0x0
May 26 14:52:47.836891 IFL lo0.16384 iflchange 0x0
May 26 14:52:47.837115 IFL lo0.0 iflchange 0x0
*
*(omitido)
*
May 26 14:52:47.867410 OSPF updated PPM interface IFL 84, addr 172.20.110.1, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0
May 26 14:52:47.867614 OSPF cannot stop xmit from 172.20.101.1 to 224.0.0.5 (IFL 82, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0)
May 26 14:52:47.867816 OSPF cannot stop xmit from 172.20.110.1 to 224.0.0.5 (IFL 84, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0)
May 26 14:52:47.868182 OSPF cannot stop xmit from 172.20.101.1 to 224.0.0.5 (IFL 82, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0)
May 26 14:52:47.873156 OSPF cannot stop xmit from 172.20.110.1 to 224.0.0.5 (IFL 84, area 0.0.0.0, ID 0.0.0.0, rtbl idx 0)

Operadores AND e OR

Operador AND
[email protected]# run show log messages | find “May 26” | match “error”

Operador OR
[email protected]# run show log messages | match “May 26” | match “error|kernel”

Monitorizar as mensagens de log
[email protected]>  monitor start messages | match fail

Parar de receber mensagens
[email protected]>  monitor stop

NTP

set system ntp server 10.10.10.10
set system ntp boot-server 10.10.10.10

[email protected]# run show ntp associations
remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*10.10.10.10         .INIT.          16 –  395 1024    0    0.000    0.000 4000.00

O * significa que é o host selecionado para sincronização
Archiving

Realizar backups via FTP/SCTP da configuração após commit, o uso de vários destinos permite  que caso o site primário falhe seja usado o 2 site e assim em diante

set system archival configuration transfer-on-commit
set system archival configuration archive-sites “ftp://[email protected]:/archive” password #FAZER!SEMPRE_BACKUP#
set system archival configuration archive-sites “sctp://[email protected]:/archive” password #FAZER!SEMPRE_BACKUP#

[email protected]# commit
[email protected]# run show log messages | match ftp
May 26 16:11:40  R1 fetch: %DAEMON-3: fetch: ftp://[email protected]:*: No route to host

As copias dos ficheiros são guardadas em /var/transfer/config

[email protected]# run file list /var/transfer/config/ detail

/var/transfer/config/:
total 28
-rw-r—–  1 root  wheel       1101 May 26 16:10 R1_juniper.conf.gz_20140526_151053
-rw-r—–  1 root  wheel       1101 May 26 16:11 R1_juniper.conf.gz_20140526_151127
-rw-r—–  1 root  wheel       1101 May 26 16:12 R1_juniper.conf.gz_20140526_151206
-rw-r—–  1 root  wheel       1101 May 26 16:12 R1_juniper.conf.gz_20140526_151254
-rw-r—–  1 root  wheel       1187 May 26 16:23 R1_juniper.conf.gz_20140526_152319

Para realizar backups regulares da config usar:

Nota: A cada 24 Horas (1440 minutos)

set system archival configuration transfer-interval 1440

SNMP

set snmp location LISDC-Rack122
set snmp contact “ip@cocheno.com”
set snmp community JUNIPER
set snmp trap-options source-address lo0
set snmp trap-group group-SNMP categories link
set snmp trap-group group-SNMP categories routing
set snmp trap-group group-SNMP targets 10.10.10.10
set snmp trap-group group-SNMP targets 10.10.10.11
set snmp trap-group group-SNMP version v2
set snmp community JUNIPER clients 192.168.20.0/24

Efetuar uma snmp walk (permite fazer decimal e ascii)

[email protected]> show snmp mib walk jnxOperatingDescr
jnxOperatingDescr.1.1.0.0 = midplane
jnxOperatingDescr.2.1.0.0 = PEM 0
jnxOperatingDescr.4.1.0.0 = SRX240 PowerSupply fan 1

Referências:

Notas estudo JNCIA-Junos parte 1

Notas estudo JNCIA-Junos parte 2

Notas estudo JNCIA-Junos parte 2

Help

O JunOS tem integrado um livraria que permite por exemplo ver qual o significado do output de uma mensagem de syslog.

[email protected]# help ?
Possible completions:
<[Enter]>            Execute this command
apropos              Find help information about a topic
reference            Reference material
syslog               System log error messages
tip                  Tip for the day
topic                Help for high level topics
|                    Pipe through a command

Separation of configuration edit and activation

validation checks
version control
automated rollback

candidate configuration ->commit->validated configuration->active configuration

configure private – permite que todos os users alterem em simultâneo a active config

configure exclusive – proíbe  outros efetuarem alterações enquanto estiver conectado ao device

show command – mostra a config candidate relativamente a hierarquia onde se está inserido no momento

Set/Edit Command

From Top
[email protected]#set sytem services finger
[email protected]#set sytem services ftp
[email protected]#set sytem services ssh

From Sublevel
[email protected]#edit system services
[edit system services]
[email protected]#set finger
[email protected]#ser ftp
[email protected]#set ssh

Rollback

Apenas modifica a candidate config (não esquecer do commit)

rollback 0 – reset a candidate para a config atualmente ativa+
rollback n – n representa o numero da config ativa
rollback rescue – load o rescue file previamente criado

Fazer commit num determinado período

[email protected]#commit at 02:00:00

run command – permite executar comandos em config mode como se estivesse no Operational mode

Junos Sytem Health
Real-time Performance Monitoring (RPM)
Flow accounting – cflowd

Health monitor
RMON

Junos Sytem Health Diagnostic

System logging
hardware and operating events
Trace logging
protocol operations
snmp

Routing tables

Predefined Routing tables
inet.0 ipv4 unicast
inet.1 multicast forwarding cache
inet.2 usado para MBGP para permitir reverse path forwarding (RPF) checks
inet.3 usado para MPLS path information
inet.4 usado para MSDP routes
inet6.0 Usado para IPv6 unicast
mpls.0 usado para MPLS next hops

Route preference = Administrative Distance (Cisco World)

DIRECT 0
LOCAL 0
STATIC 5
OSPF internal 10
RIP 100
OSPF AS external 150
BGP (both EBGP and IBGP) 170

show route forwarding-table – existe uma entrada default para quando o prefix não existe, notificando a source device com ICMP unreachable

Default Routing Instance

A tabela default unicast de nome master e inclui a inet.0, e poderá tb incluir a inet6.0

show route instance

User-Defined instances

edit routing-instances new-instance instance-type instance-type

Existem diversos tipos de instances:

forwarding – Forwarding instance
l2vpn – Layer 2 VPN routing instance
layer2-control -Layer 2 control protocols
no-forwarding -Nonforwarding instance
virtual-router -Virtual routing instance
virtual-switch -Virtual switch routing instance
vpls -VPLS routing instance
vrf -Virtual routing forwarding instance

show route table new-instace.inet.0

Rotas estáticas

O next-hop pode ser a opção de bit bucket, as opções de discard/reject permite descartar o tráfego.

discard – faz drop silenciosamente (não envia ICMP)
reject – envia ICMP unreachable

set routing-options
static{
route 0.0.0.0/0 next-hop 172.30.25.1;
route 172.28.102.0/24 {
next-hop 10.210.11.190;
no-readdvertise;
resolve;
}
}

O nex-hop deve ser directamente ligado, porque by default o JunOS não faz lookups recursivos. Para permitir é necessário usar o comando resolve

Qualified Next hops

Permite indicar a preferência de uma rota (floating route)

qualified-next-hop x.x.x.x {
preference 7;
}

Config OSPF

Apartir da versão 8.x o Loop0/router-id é advertido automaticamente

set protocols ospf
set area 0 interface ge-0/0/1.{0} Se a unit não for referenciada, o JunOS considera como 0
set area 0 interface ge-0/0/3.0 passive

O JunOS converte a area 0 para decimal 0.0.0.0

show
area 0.0.0.0 {
interface ge-0/0/1.0;
interface ge-0/0/2.0;
interface ge-0/0/3.0 {
passive;
}

show ospf neighbor {detail,extensive}
show route protocol ospf

NETCONF XML Interface

set system load patch terminal

NTP

Para o sistema sincronizar quando faz booting é necessário configurar:

set system ntp boot-server 1.1.1.1

set system time-zone Europe/Lisbon

request system configuration rescue {save | delete} – efetua uma cópia da actual config como rescue config

rollback rescue – este comando apenas altera a candidate config

Operational Mode

show system  command arguments:
alarms: Displays  current system  alarms
boot-messages: Displays the messages seen during the last system boot
connections: Displays the status of local TCP and UDP connections
processes: Displays the system’s process table
statistics : Provides options for viewing various protocol statistics
storage: Displays the status of the file system storage space.

show version detail (inclui as versões das pacotes instalados)

Junos Naming Convention

Package-release-edition

jroute-10.1R1.8-domestic-signed.tgz
release:
• Describes the Junos version
• Includes major and minor release numbers, release type (Release,Beta or Internal), build number and spin number
edition:
• Versions are either domestic-supporting strong encryption, or export-not supporting encryption
• Federal Information Processing Standards (or FIPS) editions provide advanced network security

the letter is an R to
indicate that this is released software. If you are involved in testing prereleased software,
this letter might be a B (for beta-level software) or I (for internal, test, or experimental
versions of software). The release also includes a build and spin number for the Junos
version.
Here, the release is 9.5R1.8, which is  version 9.5, which has been released, build 1,
spin 8.-signed.tgz – Junos software is digitally signed and compressed using Secure Hash Algorithm (SHA-1) and
Message Digest 5 (MD5) checksums.
A package is installed only if the checksum within it matches the hash recorded in its corresponding file. The actual checksum used depends on the software version.

Package :
jinstall usado nas M/Mx/T Series
jinstall-ex usado nos EX Series,
junos-jsr usado J Series
junos-srx usado nos SRX Series

Upgrading JunOS

>reques system software add /var/tmp/jbundle-10.1R1.8-domestic.tgz reboot

Commands Useful in Upgrading Software:
• request system software add /var/tmp/<image-name> upgrades software
• request system storage cleanup  deletes images
• show system storagedisplays compact-flash  device storage  details
• request system software add /var/tmp/<image-name> reboot  upgrades the software

Permite verificar quais os ficheiros a serem eliminados

[email protected]> request system storage ?
Possible completions:
cleanup              Clean up temporary files and rotate logs
[email protected]> request system storage cleanup ?
Possible completions:
<[Enter]>            Execute this command
dry-run              Only list the cleanup candidates, do not remove them

[email protected]> request system storage cleanup dry-run

Referências:

Notas estudo JNCIA-Junos parte 1

Notas Network Time Protocol (NTP)

O sistema inicia o relógio no momento em que este também inicia e mantém o registo da data/hora.

O relógio do sistema pode ser atualizado das seguintes formas:

  • NTP
  • Simple Network Time Protocol (SNTP)
  • Virtual Integrated Network Service (VINES) Time Service
  • Manual configuration

O NTP permitem garantir a sincronização da data/hora entre os vários elementos, este pode ser configurado nos seguintes modos:

  •    Client/Server
  •     Symmetric Active/Passive – Grupo de peers low stratum operam como backups uns dos outros. Cada peer usa as suas referencias primarias e em caso de falha usa os peers, esta operação e descrita como push-pull. Um peer é configurado em modo  Symmetric Active usando o comando peer. O outro peer também deve ser configurado da mesma forma.
    Nota: Se o outro peer não for configurado com o comando peer, a associacao e feita em Symmetric Passive quando é recebida uma mensagem Symmetric Active.
  •     Broadcast

Exemplo:

Ligações:

R1——-s2/1-R2-f0/1———-f0/0-R3

Autenticar o NTP entre o R1/R3
O R1 deve estar em Symmetric Active mode
O R3 recebe o NTP via broadcast

R1(config)#
ntp authentication-key 1 md5 CCIE
ntp authenticate
ntp trusted-key 1
ntp server 192.168.2.2
ntp peer 192.168.2.2

R2(config)#
ntp authentication-key 1 md5 CCIE
ntp authenticate
ntp trusted-key 1
ntp master 2

R3(config)#
int f0/1
ntp broadcast client

R2#sh ntp associations

address         ref clock     st  when  poll reach  delay  offset    disp
*~127.127.7.1      .LOCL.            1     5    64  377     0.0    0.00     0.0
* master (synced), # master (unsynced), + selected, – candidate, ~ configured

R2#sh ntp status
Clock is synchronized, stratum 2, reference is 127.127.7.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24
reference time is D62E1DCD.301D493F (15:48:29.187 UTC Wed Nov 13 2013)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec

R1#sh ntp associations de
192.168.2.2 configured, our_master, sane, valid, stratum 2
ref ID 127.127.7.1, time D62E1E4D.301CB65E (15:50:37.187 UTC Wed Nov 13 2013)
our mode active, peer mode passive, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.03, reach 377, sync dist 25.284
delay 12.12 msec, offset 6.2250 msec, dispersion 19.20
precision 2**24, version 3
org time D62E1E63.80060ECC (15:50:59.500 UTC Wed Nov 13 2013)
rcv time D62E1E63.7FCF0483 (15:50:59.499 UTC Wed Nov 13 2013)
xmt time D62E1E63.747ED2BE (15:50:59.455 UTC Wed Nov 13 2013)
filtdelay =    44.14   19.94   47.94   12.12   39.92   40.07   27.91   36.16
filtoffset =   22.92  -16.03    3.07    6.23   11.91   -4.44   -2.76    0.59
filterror =     0.02    0.99    1.97    2.94    3.92    4.90    5.87    6.85

R3#sh ntp associations

address         ref clock     st  when  poll reach  delay  offset    disp
* 192.168.20.2     127.127.7.1       2    18    64  376    16.1   13.55    15.9
* master (synced), # master (unsynced), + selected, – candidate, ~ configured

R3#sh ntp ass detail
192.168.20.2 dynamic, our_master, sane, valid, stratum 2
ref ID 127.127.7.1, time D62E1E8D.301D95DD (15:51:41.187 UTC Wed Nov 13 2013)
our mode bdcast client, peer mode bdcast, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.03, reach 376, sync dist 24.002
delay 16.07 msec, offset 13.5468 msec, dispersion 15.95
precision 2**24, version 3
org time D62E1E9C.301B1A0A (15:51:56.187 UTC Wed Nov 13 2013)
rcv time D62E1E9C.2CA64C21 (15:51:56.174 UTC Wed Nov 13 2013)
xmt time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
filtdelay =    16.07   16.07   16.07   16.07   16.07   16.07   16.07   16.07
filtoffset =   13.55    1.73   25.91  -16.53   -5.48   -6.40    1.73  -12.14
filterror =     0.99    1.97    2.94    3.92    4.90    5.87    6.85    7.83