Juniper, first steps after power-on the device

As you know from my previous posts, I’m trying to find time to gain some Juniper knowledge. During this “quest” I will add here some basic things about how to start working with Juniper devices. For now I know only the basics of Juniper configuration, but I hope that soon you’ll find here some more challenging scenarios.

I have a basic topology that you’ll find below. The scenario is already prepare to have some tasks which suppose integration between Juniper and Cisco environment.

Let’s assume that I did power on the two boxes J1 and J2 and now I’m connected to J1 through a console cable. After the boot sequence I’m left with something like this:

Tue Jun 12 11:46:06 UTC 2012
 
Amnesiac (ttyd0)
 
login:

All platforms running the Junos OS have only the root user configured by default, without any password. Let’s introduce that username and see what’s happening:

login: root
Password:
 
--- JUNOS 9.4R2.9 built 2009-03-25 07:50:02 UTC
root@%

What I have now in front is actually the shell of the FreeBSD OS. JunOS is based on the FreeBSD OS. If you ever interacted with a Linux based system, then you can run here specific linux commands. For example:

root@% ls
.snap           boot            jail            modules         sbin
COPYRIGHT       config          kernel          opt             staging
altconfig       data            libexec         packages        tmp
altroot         dev             mfs             proc            usr
bin             etc             mnt             root            var
root@% 
root@% 
root@% 
root@% ps u
USER   PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME COMMAND
root  1153  0.0  0.2  1492   936  v0  Is+  11:46AM   0:00.02 /usr/libexec/getty
root   941  0.0  0.4  2636  2176  d0- S    11:46AM   0:00.14 /usr/sbin/eventd -
root  1264  0.0  0.2  1676  1252  d0  Is   11:50AM   0:00.05 login [pam] (login
root  1265  0.0  0.5  3872  2744  d0  S    11:51AM   0:00.21 -csh (csh)
root  1289  0.0  0.2  1612   996  d0  R+   11:54AM   0:00.01 ps u

OK, you got my point. To get from the FreeBSD shell to JunOS CLI, you need to enter the following:

root@% cli
root>

What you see now is the Operational Mode. In this mode the user can run basic and troubleshooting commands (like traceroute, ping…). You can get a list of commands using the ? (question mark):

root> ?
Possible completions:
  clear                Clear information in the system
  configure            Manipulate software configuration information
  file                 Perform file operations
  help                 Provide help information
  monitor              Show real-time debugging information
  mtrace               Trace multicast path from source to receiver
  op                   Invoke an operation script
  ping                 Ping remote target
  quit                 Exit the management session
  request              Make system-level requests
  restart              Restart software process
  set                  Set CLI properties, date/time, craft interface message
  show                 Show system information
  ssh                  Start secure shell on another host
  start                Start shell
  telnet               Telnet to another host
  test                 Perform diagnostic debugging
  traceroute           Trace route to remote host

If you want to compare the Operational Mode is somehow like Privilege level 1 under Cisco CLI. Still I have the feeling that Operational Mode offer a wider area of commands and more powerful than Cisco CLI Privilege level 1. I may be mistaken.

All platforms running the Junos OS come with a factory-default configuration. All factory-default configurations
allow access using the root account without any password. Nevertheless to activate a configuration you have first to set the password root password.Factory-default configurations can vary from one platform family to another or even between the different models
within the same platform family.
My default configuration looks like:

root> show configuration 
version 9.4R2.9;
system {
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}

I this first post my target is to set the hostname of the Juniper devices. To accomplish this step, I need to go first into configuration mode:

root> configure 
Entering configuration mode
The configuration has been changed but not committed
 
[edit]
root#

and then set the hostname:

root# set system host-name J1 
 
[edit]

If I look at the system prompt, it still shows root#, so it doesn’t quite seems to work. This is because I have to commit to activate the configuration:

root# commit 
[edit]
  'system'
    Missing mandatory statement: 'root-authentication'
error: commit failed: (missing statements)
 
[edit]
root#

Well, this didn’t work as expected. The most important thing that I learned when I started with Juniper is that before I can activate any configuration (commit) I need to set the password for the root user:

root# set system root-authentication plain-text-password              
New password:
Retype new password:
 
[edit]
root#

Let me try to commit one more time, after setting the root password:

root# commit 
commit complete
 
[edit]
root@J1#

You can see that the prompt did change into root@HOSTNAME# (in my case this is root@J1#). If you look again to the system configuration. I will exist the Configuration Mode and have another look at my config file:

root@J1> show configuration 
## Last commit: 2012-06-12 12:38:22 UTC by root
version 9.4R2.9;
system {
    host-name J1;
    root-authentication {
        encrypted-password "$1$DKpYj/Nd$TVFTars5T2.oM3y5eyp520"; ## SECRET-DATA
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
 
root@J1>

The host-name and root password appears now in the active configuration.

That’s it for today. Until next post, I will add the basic configuration for J2 and the Cisco, so I can go to basic interface configuration and connectivity check.


The experience with my first Juniper certification

Last week I got my first Juniper certification, JNCIA-Junos, and I’m pretty excited about it. I had to start with this exam, which is somehow equivalent to CCNA,  for two reasons:

– it’s mandatory for all other Juniper exams
– as I start with a new vendor technology I need to get a good understanding of how Junos is working and how this CLI is different from Cisco one

Maybe you are curious why I wanted to go with another certification vendor than Cisco. Well, I felt the need to do something different, but still related to networking technology. I’m not thinking to move away from Cisco, as this is still my strong point, but I don’t want my mind to get used to think only “Cisco style”. If I may say like this, I want to “think  out of the box”. I went with Juniper as I was always curious about their products and the way they handle routing protocols, configuration, network interconnections and so on…

I must say it, the preparation and exam experience, was a very pleasant one. First of all, after registration, on the Juniper website, I got access to their Learning Portal from where I could download two books in PDF format, free of charge.  I already have the necessary networking fundamentals knowledge, so these two books were enough to prepare for this exam. If you are a beginner, there is another eLearning course available on the same Juniper Learning Portal called “Networking Fundamentals” which is also free of charge. I checked some chapters from this course and I was surprised how nice and clear the explanation was. Beginners can easy understand and learn the basic concepts.

The theory was fine, but I wanted to have some hands on experience, so I start looking on Internet about some cheap solutions to prepare. I was lucky enough to get two boxes with Junos on them. After connecting them, I was able to start with the basic configuration and ended configuring IGP, BGP, filtering, route manipulation, etc. I also established some connections between Cisco and Juniper and configure inter-vendor routing protocols IGP and BGP. That was fun and I will add in future some “how-to” on my blog.

Next, on the Juniper Learning Portal, any certification candidate can take a Pre-assessment exam. If you pass, you will get a voucher which offer you 50% discount from the exam price. A nice welcome gift!

Without breaking the agreement, I think I may say that the exam was “to the point” with clear questions expecting clear answers. No room for tricky interpretations of the questions, so if you did your lessons you will pass for sure.

On and on, it was a nice experience which did offer me an appreciated break from CCIE preparation. Depending on the available time, I think I will continue with JNCIS-ENT.

I have to mention only one ugly point during my entire experience with this Juniper certification. Those of you who follow me on Twitter or LinkedIN already know what I’m talking about. I had to attend this exam three times and not because I failed, but because the first two times, the testing center was thinking that my time worth nothing. Long story short, 1st time they said that there is an update ongoing and they cannot held exams. After rescheduling with help of Prometric, at the time and date suggested by the testing center, I went for the 2nd attempt just to find out that the testing center was closed and they did cancel (?!) all exams without any information. Finally, 3rd time I did book with another testing center. In the past I used this testing center for Cisco certifications. As expected the things went smooth this time. I’m not blaming Juniper or Prometric for the first two experiences, but nevertheless I’m expecting at least that they will notify the testing center about this unacceptable behavior.

Finally, my blog will remain mainly focused on Cisco, but I will also add some articles about Juniper / Junos in form of beginners how-to. I hope my articles will become more complex as I will gain more Juniper knowledge and my idea is to develop some scenarios which involve Cisco and Juniper mix environment.

If you have questions please use the comment form, but please don’t ask questions that I cannot respond to (ex. questions from exam).


4-bytes Autonomous System Number

Last week I received a form from APNIC with a new AS numbers. When I had a look through papers I saw there something strange: AS 123456 (I replaced the original with this number). 6 digits. First I thought that there is a mistake or something, then I recall the new 4-bytes ASN. If for IPv6 the things seems to be moving slower, than for the new format of AS numbers, it seems that the things are going faster. So faster that by January 1, 2010 all BGP speaker must support this feature, according to Cisco. I didn’t understood if they refer in the document for their products or it is something that is mandatory globally. No matter how, the things are moving quite fast in this direction.

Since I have to implement a BGP configuration with this 4-Bytes ASN, I started to search with Google friend about the standards and I was surprised that there is not to much to search after. Of course there is the official RFC, some other documentation, but not real examples how to configure, troubleshoot and so on. That’s why I said it’s nice to put something together for a general understanding of what is and how does it work this 4-Bytes ASN. I assume here that reader has a basic understanding of what ASN and BGP is.

RFC 4893 is the reference for “BGP Support for Four-octet AS Number Space”. Currently the Autonomous System number is encoded as a two-octet (2-bytes) entity in BGP, meaning 16bits and this was defined in RFC 4271. The new system is using a four-octet (4-bytes) , meaning 32bits. Currently the ASN 2-bytes include a range from 1 – 65535, used in decimal plain text when configuring the BGP. The expansion from 2-bytes to 4-bytes give us 4,294,967,295 AS number which can be written in ASPLAIN or ASDOT format.

Why two formats? Mainly due to different opinions about how the 4-bytes number should be represented:

ASPLAIN representation

The RIPE NCC assigns and registers 4-byte AS Numbers in ASPLAIN format.
ASPLAIN defines the 4-byte AS Number as a basic 32-bit integer.
“2-byte only AS Numbers” refers to AS Numbers in the range 0 – 65535
“4-byte only AS Numbers” refers to AS Numbers in the range 65536 – 4294967295”
“4-byte AS Numbers” refers to AS Numbers in the range 0 – 4294967295
Advantages:
– IETF preferred notation
– continuation on how a 2-Byte AS number has been represented historically
– does not break AS-PATH REGEX
– APNIC reached consensus to adopt ASPLAIN for assignment and representation of 4-byte AS Numbers
– routers vendors appear to be supporting ASPLAIN, which will require no conversion from allocation to configuration
Disadvantages:
– long number to remember
– All existing 4-byte only assignments have been made in ASDOT

ASDOT representation

The full binary 4-byte AS number is split two words of 16 bits each. It is proposed to identify 4-byte AS Numbers using a syntax of <high
order 16 bit value in decimal>.<low order 16 bit value in decimal>:
“2-byte only AS Numbers” refers to AS Numbers in the range 0 – 65535
”4-byte only AS Numbers” refers to AS Numbers in the range 1.0 – 65535.65535
“4-byte AS Numbers” refers to AS Numbers in the range 0.0 – 65535.65535
Advantages:
– easy to read and remember
Disadvantages
-require conversion from ASPLAIN to ASDOT
-hard for regular expressions

What’s happening if in a BGP peering one router supports the new format and the other one only the old one.  The new reserved ASN 23456 is used for backward compatibility between 4-bytes and 2-bytes BGP speakers. So, if your router advertise BGP with a 4-bytes as number (doesn’t matter in which representation ASDOT or ASPLAN), the peer which does not support the new format, will translate the 4-bytes ASN into 2-bytes ASN 23456. A graphical representation of the AS path from 4-bytes to 2-bytes in BGP would be:
4bytes-2bytes-as

OK, I hope you understand the basics of 4-bytes ASN. For me, some challenge was to understand to transform the 4-bytes ASN from ASPLAIN to ASDOT. In every document that I saw on the Internet there was the same example: AS 65546 in ASPLAIN is 1.10 in ASDOT, but without no explanation. See below how I understood that the conversion takes place. If I understood it wrong, please let me know, to correct it here. After all I’m not an 4-byte ASN expert, I just try to help as much as I can.

So let’s take the number 65546.

1. 65546 / 65535 = 1 (integer) which will be the parte in front of the . (dot) in ASDOT representation.

2. 65546 – ( 65535 * 1) = 11 (see how much rest remains after 65353 going once in 65546)

3. 11 – 1 = 10 which will be the part after . (dot)

4. You obtain 1.10

As a general rule, you have an ASPLAIN number. You take 65535 and see how many times it goes, with integer in the ASPLAIN number (1 time, 2 times, 3 times…depending). This will be your decimal number before dot in ASDOT format . Then you multiple the 65535 with the integer obtained in the first step and you deduct from the ASPLAIN number. From the rest after the second operation, you deduct the the decimal you have in front of the dot. The rest in decimal that comes after the dot .

What confused me is that the number in the example was so close to the last 2-bytes ASN which is 65535.

Now for the last example, let me take a random higher number 194534 (the example from the first line) and to obtain the ASDOT format.

1. 194534 / 65535 = 2 (integer)

2 194534 – ( 65535 * 2) = 194534 – 131070 = 63464

3 63464 – 2 = 63462

4 ASDOT = 2.63462

An online converter from ASPLAIN do ASDOT you can find here: http://as4.nullroute.se/index.php

For some more detailed explanation I would like to ask you to download the Cisco and Juniper documents regarding 4-bytes ASN implementation in BGP.

If you have any useful information about this topic or if something is wrong in my post, please comment and share your knowledge.

Juniper Training … Get a Free First Look

Today in the morning, I received a notification in my Inbox about a new person following  me on Twitter. As I took a look on Jonah Manning’s (that’s the name of the person following me) twitters, one subject caught my attention immediately: Training … Get a Free First Look”.

I followed the link and this lead me to an document (http://forums.juniper.net/t5/Networking-Now/Training-Get-a-Free-First-Look/ba-p/23149) which explains that Juniper is renewing it’s learning classes and they need beta testers for this. In the following lines I will use some lines from the link posted above, so please don’t sue me for copyright infringement, rather let me know if there is a problem and I’ll remove them.

So, what’s going on Juniper:
“When we write new training classes (or even significantly revise existing ones), we conduct various kinds of reviews to ensure that the training teaches the correct audience the correct skills in the correct way.  Sometimes, we get input from members of the “target audience” prior to writing the training (or even while writing the training), to find out what they really want to know, or to find out if a particular example is going to work well.  However, one of the biggest tests of a new class is the beta class.”

What is a beta class?
“A beta class is the first real-life test of a new class”

Where will them take place?
“It is conducted in our (n.a. Juniper’s) Sunnyvale offices using student guides and labs that are candidates for final release, and it is taught on a schedule that imitates the final class.  This is where we find out whether the four-day class really is four days, whether that slide on the second day really does explain four-byte AS numbers well enough, and whether that lab really does explain the topic accurately.  This is our opportunity to double-check that the class includes the correct material for the target audience, that it teaches that material well, and that there are no missing “building blocks” of knowledge.”

What they will teach you?
“… we have many kinds of classes (introductory, intermediate, and advanced) on many different topics (routing, VPNs, MPLS, security, management, etc.)”

How much does it cost?
“Participants in the beta classes are allowed to attend the class for free (however, all incidental expenses, including travel, are the participants’ responsibility)”

As you can see this beta classes are free, but unfortunately  for some of us, network engineers, will cost some money (at least for me since I’m in Europe) to attend, due to travel expenses and accommodation. Anyway the lucky ones, which are interested in seeing what’s the deal with Juniper and have some know-how about networking can attend this classes for free. To take advantage of this offer, you have to register. Please find out how to do that at:  http://forums.juniper.net/t5/Networking-Now/Training-Get-a-Free-First-Look/ba-p/23149, the paragraph before last one.

OK, if you cannot participate in this program, but you still want to get familiar with Juniper, there is a good news, as you can find online some classes. And the best part, some of them are completely free, you just need an Internet connection and you’re good to go. You can find this online classes here: http://www.juniper.net/us/en/training/technical_education/

Juniper introduces Adaptive Threat Management

JuniperJuniper is this week introducing software that lets security platforms – even those made by other vendors – share and analyze log information in order to determine the root cause of network problems and fix them.

Called Adaptive Threat Management, the data-sharing software includes upgrades to its SSL VPN and Unified Access Control  devices that enable them to publish log information to a UAC server that shares the data with other platforms.

The interface between the SSL and UAC devices and the server is a standard known as IF-MAP, a communication interface for creating a two-way street between network devices and the server to which device data is published.

Read the full article on NetworkWorld.com