Skip to main content

From IOS to Junos – Day 2

Notes from the day


I am just going to dump my text notes for the day, you have no idea how long it would take to format this stuff, and hell I do it to share, not to make profit.

 
** when I had shutdown after the previous days works,

I had a thought that the loopback 0 (only loopback adaptor in Junos)

would probably be done using unit numbers, as soon a I woke up and checked my

twitter I had a tweet from @networkjanitor

"In regards to Junos Loopbacks you can have multiple unit interfaces

and they can go diff vrfs"

so first task today is remove existing loopback 0 unit 0 address

and create new loopback 0 unit 10 address.


root@Junos1# edit interfaces lo0

[edit interfaces lo0]

root@Junos1# edit unit 0

[edit interfaces lo0 unit 0]

root@Junos1# show
family inet {
address 10.254.200.1/32;
}

[edit interfaces lo0 unit 0]
root@Junos1# delete family inet address 10.254.200.1/32

[edit interfaces lo0 unit 0]
root@Junos1# commit
commit complete

[edit interfaces lo0]
root@Junos1# edit unit 10

[edit interfaces lo0 unit 10]
root@Junos1# set family inet address 10.254.200.1/32

[edit interfaces lo0 unit 10]
root@Junos1# commit
[edit interfaces lo0]
'unit 10'
if_instance: Multiple loopback interfaces not permitted in master routing instance
error: configuration check-out failed

[edit interfaces lo0 unit 10]

** OH Dear,

** after a bit of work I found that I had not deleted unit 0 of lo0

[edit interfaces]
admin@Junos1# delete lo0 unit 0
commit

[edit]
root@Junos1# set interfaces lo0 unit 10 family inet address 10.254.200.1/32

[edit]
root@Junos1# commit
commit complete

[edit]
root@Junos1#

**problem resolved

========== Moving onto Junos2
** setup the same basics as Junos1
name
domain-name
ip addresses
ssh
I had to go back and look at day 1 note for some guidance.

** now thats done let try and get rip running between 1 and 2

root@Junos1> configure
Entering configuration mode

[edit]
root@Junos1# edit protocols
[edit protocols]
root@Junos1# set rip group 1 neighbor em1

[edit protocols]
root@Junos1# commit
commit complete

** rig group name , I have used 1 need to look about and see what the standard way of representing this in JUNOS is

the same process on Junos 2 em0, I donot have ssh access yet so I am not pasting the commands

[edit protocols]
root@Junos1# set rip group 1 neighbor em1
[edit protocols]
root@Junos1# set rip group 1 neighbor em10

did the same on Junos2 but no routes. found this helpful page http://knol.google.com/k/configuring-basic-rip-using-a-juniper-olive-junos-via-cli#

so by default RIP will not advertise routes out

[edit]
root@Junos1# edit policy-options
[edit policy-options]
root@Junos1# set policy-statement adv-rip-routes term 1 from protocol rip

[edit]
root@Junos1# edit policy-options

[edit policy-options]
root@Junos1# set policy-statement adv-rip-routes term 1 then accept

[edit policy-options]
root@Junos1# commit

[edit protocols rip]
root@Junos1# top

commit complete
[edit policy-options]

root@Junos1# top edit protocols rip
[edit protocols rip]
root@Junos1# set group 1 export adv-rip-routes

** the command line will show what groups are aval and what policies --excellent

***I can not see 192.168.1.11 in router 2
found it I should habe used
root@Junos1# set policy-statement adv-rip-routes term 1 from protocol direct
in addition to rip
I had temporarily set it and remove it on router 2 so I could see the route in Junos 1

protocols {
rip {
group 1 {
export adv-rip-routes;
neighbor em0.0;
neighbor lo0.10;
neighbor em1.0;
}
}
}
policy-options {
policy-statement adv-rip-routes {
term 1 {
from protocol [ rip direct ];
then accept;
}

which appear to work , I can now ssh onto 10.254.200.2 with admin user.

** need to understand direct and rip
assumption at this point is direct = routes generated by routing protocol from within this host.
rip= route in the rip protocol not from this host????


**Final update 3/10/11 23:30

direct = directly connected networks on this router. even if they donot have rip configure on the interface e.g

show route protocol direct

so enabling rip on the lo.10 was a waste of time

rip = would guess as above "routes in the rip protocol not from this host"


What I achieved



  • Got loopback 10 sorted

  • Got rip working although need to look at Direct/Rip from protocol


 

 

Noteworth thoughts



  • I like the concept of setting up the routing protocol and establishing relationship without actually sending routing update, looking forward to see if this is the same with OSPF.

  • Need more work on the show / diagnostic command to verify current status

  • Need to investigate naming convention for protocol Groups



Comments

Popular posts from this blog

ASR1006 Dual Route Processors Password Recovery - Tip

I recently ran into an issue when trying to perform dual route processors password recovery on a Cisco  ASR1006
Problem
After breaking into rommon mode and using confreg to ignore the startup configuration, during the rest the ASR1006 loaded the startup configuration!!!!!!!!
Solution
So quick and simple, I pulled one of the RP and preformed password recovery running on a single RP. All went according to the Cisco documentation

http://www.cisco.com/en/US/docs/routers/asr1000/install/guide/routers/asr1_hwc.html#wp1045971



After the system running on a single RP was recovered and fully booted I waiting for 5 minutes just to be sure; then I inserted the second RP and allowed everything to sync up.



All was well again :) phew



Note: The system was previously fully functioning with dual RPs; a configuration error was made during Tacacs+ configuration which resulted in lockout.


Summary
I hit an issue recovering and ASR with dual RPs, so rather that spending hour researching, I decided very quickly to go …

Where are all the AAA and PKI solutions gone for Dot1x

More Question than answers
(This series will be based on an enterprise with >20,000 dot1x devices)

I have been looking into dot1x authentication for Wired and Wireless devices based on device identity using x.509 Certificates. While I understand PKI, AAA, PEAP and sorts I had never really had the opertunity to bring these technologies together. I quickly found out that despite this stuff being around for years,  it was difficult to answer the following questions:

Which PKI solution should I use?
Which AAA solution should I use?
How to setup the PKI solution?
Does the PKI server need to be part of AD?
What if the clients are not in AD e.g. Wireless Tablets?
How do I issue certificates for devices?
How to configure the devices (wired and wireless)?
What AAA server do I use?
How do configure the rules and policies and identify clients?


What are the answers?
I am going to kick off a series here at networking-guru.net that tries to address the question above; I have limited time but hopefully I can …

Dell Latitude D830 SSD Upgrade

Slow Laptop Syndrome
I have a LATITUDE D830 : INTEL CORE 2 DUO T7500 4GB Ram from 2008, I did get a fairly high specification at the time, so it has always had pretty decent performance. However I haven't been using it for a while and when I did it seemed slow compared to my Core 5i desktop computer. (I use Windows 7 ultimate with the latest updates)

Laptop for Work
Now I might be doing a fair bit of travelling to customer sites in the near future and the last thing I want is a poorly performing Laptop, so I decide to ditch all the crap I had on it like iTunes, movies, miscellaneous software and cut back to a basic "work" PC. After all I do have iPhone, iPad and new kindle (soon) for all my multi media needs.

I purchased a "Corsair 120GB Force 3 SSD 2.5" SATA-III 6Gb/s Read = 550MB/s, Write = 510MB/s" from ebuyer.com. Now I am guessing that SATA-II rather that SATA-III on the system board, but the price difference between SATA-II and SATA-III was nothing …