Device Infrastructure 3

Device Infrastructure Topics for the JNCIE-SP Exam High availability features of the Junos OS Be familiar with graceful restart, GRES, NSR, and VRRP Aggregated Ethernet interfaces Understand how LACP and the minimum-links command function Securing and monitoring Junos devices Be familiar with firewall filters, syslogging, and user accounts Basic automation implementation and monitoring Understand how to configure the router to use scripts

Aggregated Ethernet Considerations When configuring aggregated Ethernet interfaces Aggregated device count Must be greater than the largest configured Aggregate Ethernet interface number LACP Active or passive mode minimum-links statement Must be set on both sides Defaults to a value of 1 Always test Layer 3 connectivity LACP might show Layer 2 connectivity but this does not guarantee Layer 3 functionality 3

VRRP Considerations When configuring VRRP VRRP default behaviors Higher priority member always preempts Virtual IP address does not respond to requests Interface tracking values must not be greater than the current priority value The virtual IP address must be within the same subnet of the interface address in which it resides 3

Configuring User Accounts When configuring user accounts User templates If the RADIUS server is unreachable, configure a local user with the user template for the user class to test the template Regular expressions Use to specify which commands to allow or deny authentication-order [ radius password ] versus radius Useful commands show cli authorization load merge terminal relative 3

Firewall Filter Considerations When configuring firewall filters Break down the list of tasks Individual smaller tasks are easier to handle Use of syslog versus log Use the log statement to troubleshoot and verify prefix-list and apply-path can be used to help simplify tasks Use port names instead of port numbers port ssh instead of port 22 Control plane protection Apply firewall filter to the loopback interface Implicit deny statement 3

Commit Script Considerations When configuring commit scripts Specify script name file script-name Script name must also be specified in the source statement Remote script retrieval HTTP, FTP, or SCP can be used Syntax: source “protocol://username@host:/location/script-name” refresh command Globally for all commit scripts, or on a per commit script basis Configuration mode command that acts like an operational mode command Must be performed before a commit is issued 3

Task and Topology R1 ge-0/0/1 .1 ge-0/0/4 C1 ge-0/0/2 .3 ge-0/0/3 ge-0/0/9 .2 Task High availability is required for the C1 router connected to R1 and R2. Configure a VRRP group in which R1 is the master for the 10.30.40.0/24 range. R2 must acquire mastership if two out of three of R1’s internal interfaces fail. The virtual IP address of 10.30.40.100, that belongs to the VRRP group, must not respond to any ping requests. R2

What Now? What are the required components? VRRP must be configured on R1 and R2 VRRP group number is not specified—it is up to you to choose one Interfaces involved are ge-0/0/4 for R1 and ge-0/0/9 for R2 Address range to work with is 10.30.40.0/24 Virtual IP address is 10.30.40.100 R1 is the master and R2 is the backup Interface tracking on R1’s three internal interfaces is required If two of R1’s internal interfaces go down, the interface tracking values must reduce R1’s priority lower than R2’s priority The virtual IP address cannot respond to ping requests—the accept-data statement must not be configured

Task Completion (1 of 3) Initial verification Verify interface state lab@R1> show interfaces terse ge-0/0/4 Interface Admin Link Proto Local Remote ge-0/0/4 up up ge-0/0/4.0 up up inet 10.30.40.1/24 lab@R2> show interfaces terse ge-0/0/9 ge-0/0/9 up up ge-0/0/9.0 up up inet 10.30.40.2/24

Task Completion (2 of 3) VRRP configuration—R1 [edit interfaces ge-0/0/4] lab@R1# show unit 0 { family inet { address 10.30.40.1/24 { vrrp-group 1 { virtual-address 10.30.40.100; priority 149; track { interface ge-0/0/1 { priority-cost 25; } interface ge-0/0/2 { interface ge-0/0/3 {

Task Completion (3 of 3) VRRP configuration—R2 [edit interfaces ge-0/0/9] lab@R2# show unit 0 { family inet { address 10.30.40.2/24 { vrrp-group 1 { virtual-address 10.30.40.100; priority 100; }

Task Verification (1 of 5) VRRP verification—R1 [edit interfaces ge-0/0/4] lab@R1# run show vrrp detail Physical interface: ge-0/0/4, Unit: 0, Address: 10.30.40.1/24 Index: 70, SNMP ifIndex: 519, VRRP-Traps: disabled Interface state: up, Group: 1, State: master, VRRP Mode: Active Priority: 149, Advertisement interval: 1, Authentication type: none Delay threshold: 100, Computed send rate: 0 Preempt: yes, Accept-data mode: no, VIP count: 1, VIP: 10.30.40.100 Advertisement Timer: 0.856s, Master router: 10.30.40.1 Virtual router uptime: 00:03:02, Master router uptime: 00:01:36 Virtual Mac: 00:00:5e:00:01:01 Tracking: enabled Current priority: 149, Configured priority: 149 Priority hold time: disabled Interface tracking: enabled, Interface count: 3 Interface Int state Int speed Incurred priority cost ge-0/0/1.0 up 1g 0 ge-0/0/2.0 up 1g 0 ge-0/0/3.0 up 1g 0 Route tracking: disabled

Task Verification (2 of 5) VRRP verification—R2 [edit interfaces ge-0/0/9] lab@R2# run show vrrp detail Physical interface: ge-0/0/9, Unit: 0, Address: 10.30.40.2/24 Index: 70, SNMP ifIndex: 531, VRRP-Traps: disabled Interface state: up, Group: 1, State: backup, VRRP Mode: Active Priority: 100, Advertisement interval: 1, Authentication type: none Delay threshold: 100, Computed send rate: 0 Preempt: yes, Accept-data mode: no, VIP count: 1, VIP: 10.30.40.100 Dead timer: 3.547s, Master priority: 149, Master router: 10.30.40.1 Virtual router uptime: 00:05:02 Tracking: disabled

Task Verification (3 of 5) VRRP verification—R1 [edit interfaces ge-0/0/4] lab@R1# up 1 set ge-0/0/1 disable lab@R1# up 1 set ge-0/0/2 disable lab@R1# commit commit complete lab@R1# run show vrrp detail Physical interface: ge-0/0/4, Unit: 0, Address: 10.30.40.1/24 Interface state: up, Group: 1, State: backup, VRRP Mode: Active … Tracking: enabled Current priority: 99, Configured priority: 149 Priority hold time: disabled Interface tracking: enabled, Interface count: 3 Interface Int state Int speed Incurred priority cost ge-0/0/1.0 down 0 25 ge-0/0/2.0 down 0 25 ge-0/0/3.0 up 1g 0

Task Verification (4 of 5) VRRP verification—R2 [edit interfaces ge-0/0/9] lab@R2# run show vrrp detail Physical interface: ge-0/0/9, Unit: 0, Address: 10.30.40.2/24 Index: 70, SNMP ifIndex: 531, VRRP-Traps: disabled Interface state: up, Group: 1, State: master, VRRP Mode: Active Priority: 100, Advertisement interval: 1, Authentication type: none Delay threshold: 100, Computed send rate: 0 Preempt: yes, Accept-data mode: no, VIP count: 1, VIP: 10.30.40.100 Advertisement Timer: 0.386s, Master router: 10.30.40.2 Virtual router uptime: 16:26:10, Master router uptime: 16:00:36 Virtual Mac: 00:00:5e:00:01:01 Tracking: disabled

Task Verification (5 of 5) VRRP verification—R1 [edit interfaces ge-0/0/4] lab@R1# up 1 delete ge-0/0/1 disable lab@R1# up 1 delete ge-0/0/2 disable lab@R1# commit commit complete lab@R1# run show vrrp detail Physical interface: ge-0/0/4, Unit: 0, Address: 172.20.20.3/24 Interface state: up, Group: 1, State: master, VRRP Mode: Active … Tracking: enabled Current priority: 149, Configured priority: 149 Priority hold time: disabled Interface tracking: enabled, Interface count: 3 Interface Int state Int speed Incurred priority cost ge-0/0/1.0 up 1g 0 ge-0/0/2.0 up 1g 0 ge-0/0/3.0 up 1g 0

3