Академический Документы
Профессиональный Документы
Культура Документы
Routing
11.a
Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has
no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an
agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and
agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper
Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should
consult the software license for further details.
Contents
Lab 1: Configuring and Monitoring OSPF (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Part 1: Configuring and Monitoring OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Part 2: Configuring OSPF Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Part 3: Configuring OSPF Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
Lab 3: Configuring and Monitoring Routing Policy and Advanced OSPF Options
(Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Part 1: Establishing the OSPF Adjacencies and Creating a Virtual Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Part 2: Configuring OSPF Multiarea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
Part 3: Configuring External Reachability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11
iv • Contents www.juniper.net
Course Overview
This three-day course is designed to provide students with the tools required for implementing,
monitoring, and troubleshooting Layer 3 components in an enterprise network. Detailed coverage
of OSPF, BGP, class of service (CoS), and multicast is strongly emphasized.
Through demonstrations and hands-on labs, students will gain experience in configuring and
monitoring the Junos operating system and in monitoring device and protocol operations.
Objectives
After successfully completing this course, you should be able to:
• Describe the various OSPF link-state advertisement (LSA) types.
• Explain the flooding of LSAs in an OSPF network.
• Describe the shortest-path-first (SPF) algorithm.
• Describe OSPF area types and operations.
• Configure various OSPF area types.
• Summarize and restrict routes.
• Identify scenarios that require routing policy or specific configuration options.
• Use routing policy and specific configuration options to implement solutions for
various scenarios.
• Describe basic BGP operation and common BGP attributes.
• Explain the route selection process for BGP.
• Describe how to alter the route selection process.
• Configure some advanced options for BGP peers.
• Describe various BGP attributes in detail and explain the operation of those attributes.
• Manipulate BGP attributes using routing policy.
• Describe common routing policies used in the enterprise environment.
• Explain how attribute modifications affect routing decisions.
• Implement a routing policy for inbound and outbound traffic using BGP.
• Identify environments that may require a modified CoS implementation.
• Describe the various CoS components and their respective functions.
• Explain the CoS processing along with CoS defaults on SRX Series Services Gateways.
• Describe situations when some CoS features are used in the enterprise.
• Implement some CoS features in an enterprise environment.
• Describe IP multicast traffic flow.
• Identify the components of IP multicast.
• Explain how IP multicast addressing works.
• Describe the need for reverse path forwarding (RPF) in multicast.
• Explain the role of Internet Group Management Protocol (IGMP) and describe the
available IGMP versions.
• Configure and monitor IGMP.
• Identify common multicast routing protocols.
• Describe rendezvous point (RP) discovery options.
• Configure and monitor Physical Interface Module (PIM) sparse modes.
Day 1
Chapter 1: Course Introduction
Chapter 2: OSPF
Lab 1: Configuring and Monitoring OSPF
Chapter 3: OSPF Areas
Lab 2: Configuring and Monitoring OSPF Areas and Route Summarization
Chapter 4: OSPF Case Studies and Solutions
Lab 3: Configuring and Monitoring Routing Policy and Advanced OSPF Options
Day 2
Chapter 5: BGP
Lab 4: Implementing BGP
Chapter 6: BGP Attributes and Policy
Lab 5: BGP Attributes
Chapter 7: Enterprise Routing Policies
Lab 6: Implementing Enterprise Routing Policies
Day 3
Chapter 8: Introduction to Multicast
Chapter 9: Multicast Routing Protocols and SSM
Lab 7: Implementing PIM-SM
Lab 8: Implementing SSM
Chapter 10: Class of Service
Lab 9: Implementing CoS Features in the Enterprise
Appendix A: BGP Route Reflection
Lab 10: BGP Route Reflection (Optional)
Franklin Gothic Normal text. Most of what you read in the Lab Guide
and Student Guide.
CLI Input Text that you must enter. lab@San_Jose> show route
GUI Input Select File > Save, and type
config.ini in the Filename field.
CLI Undefined Text where the variable’s value is Type set policy policy-name.
the user’s discretion or text where
ping 10.0.x.y
the variable’s value as shown in
GUI Undefined the lab guide might differ from the Select File > Save, and type
value the user must input filename in the Filename field.
according to the lab topology.
Overview
This lab demonstrates configuration and monitoring of the OSPF protocol. In this lab, you
use the command-line interface (CLI) to configure, monitor, and troubleshoot OSPF.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
• Configure a multiarea OSPF network.
• Configure link costs and reference-bandwidth.
• Overload a router.
• Configure and troubleshoot OSPF authentication.
In this lab part, you configure and monitor a multiarea OSPF network. You will first
prepare your device by loading a reset config located on your device. Next, you
define a router ID for your assigned device. You then configure your device to
participate in a multiarea OSPF network and verify operations using CLI operational
mode commands.
Note
The instructor will tell you the nature of your
access and will provide you with the
necessary details to access your assigned
device.
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the management network diagram to
determine the management address of your student device.
Step 1.2
Access the CLI on your student device using either the console, Telnet, or SSH as
directed by your instructor. Refer to the management network diagram for the IP
address associated with your student device. The following example uses a simple
Telnet access to srxA-1 with the Secure CRT program as a basis:
login: lab
Password:
[edit]
lab@srxA-1# load override ajer/reset.config
load complete
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
Step 1.4
Navigate to the [edit routing-options] hierarchy and configure the router ID
on your router using the IP address assigned to the lo0 interface as the input value.
[edit]
lab@srxA-1# edit routing-options
[edit routing-options]
lab@srxA-1# set router-id address
[edit routing-options]
lab@srxA-1#
Step 1.5
Navigate to the [edit protocols ospf] hierarchy and configure the interfaces
necessary for OSPF Area 0. Refer to the network diagram as needed and remember
to include the loopback interface, lo0.0. On the ge-0/0/1 interface, use the
interface-type p2p option to speed up its adjacency time.
[edit routing-options]
lab@srxA-1# top edit protocols ospf
Note
Before proceeding, ensure that the remote
student team in your pod finishes the
previous step.
Step 1.6
Activate the configuration and quickly issue the run show ospf neighbor
command.
[edit protocols ospf]
lab@srxA-1# commit
commit complete
Step 1.8
Issue the run show ospf neighbor command again to verify the current OSPF
adjacency details.
[edit protocols ospf]
lab@srxA-1# run show ospf neighbor
Address Interface State ID Pri Dead
172.20.77.2 ge-0/0/1.0 Full 192.168.2.1 128 37
172.20.66.2 ge-0/0/2.0 Full 192.168.2.1 128 37
In this lab part, you configure OSPF link costs, or metrics, on the student devices
and check your changes using CLI operational mode commands. In subsequent
steps, the words cost and metric are used interchangeably.
Step 2.1
Display routes advertised to and received from OSPF using the run show ospf
route command.
[edit protocols ospf]
lab@srxA-1# run show ospf route
Topology default Route Table:
Step 2.2
Associate a metric of 100 with the ge-0/0/2.0 interface. Activate the change and
reissue the run show ospf route command.
[edit protocols ospf]
lab@srxA-1# set area 0 interface ge-0/0/2.0 metric 100
Step 2.3
Another method to view the metric of an interface is the show ospf interface
detail command. Issue a run show ospf interface ge-0/0/2.0
detail command to view its output.
[edit protocols ospf]
lab@srxA-1# run show ospf interface ge-0/0/2.0 detail
Interface State Area DR ID BDR ID Nbrs
ge-0/0/2.0 BDR 0.0.0.0 192.168.2.1 192.168.1.1 1
Type: LAN, Address: 172.20.66.1, Mask: 255.255.255.252, MTU: 1500, Cost: 100
DR addr: 172.20.66.2, BDR addr: 172.20.66.1, Priority: 128
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: None
Protection type: None
Topology default (ID 0) -> Cost: 100
Step 2.4
Because we are using Gigabit Ethernet interfaces in the network, change the
reference-bandwidth to 10g. Activate the change and issue the run show
ospf route command to view the changes.
[edit protocols ospf]
lab@srxA-1# set reference-bandwidth 10g
Step 2.5
Configure your assigned device to function as an area border router (ABR), joining
Area 0 with a second area. Refer to the network diagram for the area and interface
details. When complete, activate the configuration changes using the commit
command.
[edit protocols ospf]
lab@srxA-1# set area area interface ge-0/0/4.unit
Step 2.7
Verify reachability to the virtual router attached to your assigned device by pinging
its loopback address. Refer to your network diagram as necessary.
[edit protocols ospf]
lab@srxA-1# run ping local-vr-loopback rapid
PING 192.168.1.2 (192.168.1.2): 56 data bytes
!!!!!
--- 192.168.1.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.437/4.057/8.057/3.122 ms
Note
Note
srxA-1 (ttyu0)
login: lab
Password:
login: username
Password: password
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
Step 2.12
Return to the CLI session on your SRX Series student device.
On the SRX Series student device, configure your device for OSPF overload mode
and activate the change.
[edit protocols ospf]
lab@srxA-1# set overload
a1@vr-device>
Step 2.14
Log out of the vr-device and then log out of student device. You can close this
second window because you will not need it anymore.
a1@vr-device> exit
lab@srxA-1> exit
Step 2.15
Return to the CLI session on your SRX Series student device.
On the SRX Series student device, delete the overload setting and activate your
changes.
[edit protocols ospf]
lab@srxA-1# delete overload
In this lab part, you configure OSPF authentication on the link between the student
devices. Initially, only team 1 will modify its device’s current configuration to make it
incompatible with team 2’s router. Then, both teams will enable OSPF traceoptions
to log protocol activity and the associated errors. Finally, team 2 will configure its
router to match team 1’s configuration changes.
Step 3.1
This step is for team 1 only.
Configure the ge-0/0/1.0 interface in Area 0 for OSPF Message Digest 5 (MD5)
authentication. Use a password of juniper and a key-id of 1. Activate your
changes when complete.
[edit protocols ospf]
lab@srxA-1# set area 0 interface ge-0/0/1.0 authentication md5 1 key juniper
Step 3.2
This step is for both teams.
Issue a run show ospf neighbor command.
[edit protocols ospf]
lab@srxA-1# run show ospf neighbor
Address Interface State ID Pri Dead
172.20.66.2 ge-0/0/2.0 Full 192.168.2.1 128 35
172.20.111.10 ge-0/0/4.111 Full 192.168.1.2 128 33
Step 3.3
This step is for both teams.
Step 3.4
This step is for both teams.
Issue the run show log trace-ospf command to view the contents written to
the trace-ospf trace file.
[edit protocols ospf]
lab@srxA-1# run show log trace-ospf
Feb 22 21:42:24 trace_on: Tracing to "/var/log/trace-ospf" started
Feb 22 21:42:30.224638 OSPF packet ignored: authentication type mismatch (0)
from 172.20.77.2
Feb 22 21:42:38.426655 OSPF packet ignored: authentication type mismatch (0)
from 172.20.77.2
Feb 22 21:42:38.440217 OSPF packet ignored: authentication type mismatch (0)
from 172.20.77.2
[...]
Step 3.5
This step is for team 2 only.
Configure the ge-0/0/1.0 interface in Area 0 for OSPF MD5 authentication. Use a
password of juniper and a key-id of 1. Activate the changes when completed.
[edit protocols ospf]
lab@srxA-2# set area 0 interface ge-0/0/1.0 authentication md5 1 key juniper
Step 3.7
This step is for both teams.
Deactivate traceoptions and delete the trace-ospf log file. Activate the
configuration and return to operational mode using the commit and-quit
command.
[edit protocols ospf]
lab@srxA-1# deactivate traceoptions
lab@srxA-1>
Step 3.8
Log out of your assigned device using the exit command.
lab@srxA-1> exit
Overview
This lab configures a stub area and a not-so-stubby (NSSA) area, and performs route
summarization. In addition, the stub area will be converted into a totally stubby area using
the no-summaries option.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
• Create a stub area.
• Change the stub area to a totally stubby area.
• Create a not-so-stubby area.
• Perform route summarization.
www.juniper.net Configuring and Monitoring OSPF Areas and Route Summarization (Detailed) • Lab 2–1
11.a.11.4R1.6
Advanced Junos Enterprise Routing
In this lab part, you configure an OSPF stub area. You will first prepare your device by
loading a reset configuration file located on your device. You then configure a new
interface and the stub area. Finally, you reconfigure the stub area as a totally stubby
area. For this lab, you will use the network diagram titled “Lab 2 (Stub Area):
Configuring and Monitoring OSPF Areas and Route Summarization.”
Note
The instructor will tell you the nature of your
access and will provide you with the
necessary details to access your assigned
device.
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the management network diagram to
determine the management address of your student device.
Step 1.2
Access the CLI on your student device using either the console, Telnet, or SSH as
directed by your instructor. Refer to the management network diagram for the IP
address associated with your student device. The following example uses a simple
Telnet access to srxA-1 with the Secure CRT program as a basis:
Lab 2–2 • Configuring and Monitoring OSPF Areas and Route Summarization (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
Step 1.3
Log in to the student device with the username lab using a password of lab123.
Note that both the name and password are case-sensitive. Enter configuration mode
and load the reset configuration file using the
load override /var/home/lab/ajer/lab2-start.config command.
After the configuration has been loaded, commit the changes before proceeding.
srxA-1 (ttyu0)
login: lab
Password:
[edit]
lab@srxA-1# load override ajer/lab2-start.config
load complete
[edit]
lab@srxA-1# commit
commit complete
Step 1.4
Refer to the network diagram and configure the IP address on the ge-0/0/4.unit
interface for the stub area on your assigned device. Use the logical unit value as the
VLAN-ID value for this interface.
[edit]
lab@srxA-1# edit interfaces ge-0/0/4
www.juniper.net Configuring and Monitoring OSPF Areas and Route Summarization (Detailed) • Lab 2–3
Advanced Junos Enterprise Routing
Step 1.5
Navigate to the [edit protocols ospf] hierarchy and configure the OSPF
stub area. Refer to the network diagram to ensure you use the correct area number
for your device .
[edit interfaces ge-0/0/4]
lab@srxA-1# top edit protocols ospf
Lab 2–4 • Configuring and Monitoring OSPF Areas and Route Summarization (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
Step 1.7
Issue the run show ospf interface detail | find ge-0/0/4
command to see the difference between the non-stub area interface and the new
stub area interface.
[edit protocols ospf]
lab@srxA-1# run show ospf interface detail | find ge-0/0/4
ge-0/0/4.111 BDR 0.0.0.1 192.168.1.2 192.168.1.1 1
Type: LAN, Address: 172.20.111.1, Mask: 255.255.255.0, MTU: 1500, Cost: 10
DR addr: 172.20.111.10, BDR addr: 172.20.111.1, Priority: 128
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Not Stub
Auth type: None
Protection type: None
Topology default (ID 0) -> Cost: 10
ge-0/0/4.151 BDR 0.0.0.3 192.168.3.2 192.168.1.1 1
Type: LAN, Address: 172.20.151.1, Mask: 255.255.255.0, MTU: 1500, Cost: 10
DR addr: 172.20.151.10, BDR addr: 172.20.151.1, Priority: 128
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Stub
Auth type: None
Protection type: None
Topology default (ID 0) -> Cost: 10
Step 1.8
Issue the run show ospf database area area summary and run show
ospf database area area commands to see how many and what types of
link-state advertisements (LSAs) are contained in the OSPF database for your stub
area. Refer to the network diagram as needed for the correct stub area number.
[edit protocols ospf]
lab@srxA-1# run show ospf database area area summary
Area 0.0.0.3:
2 Router LSAs
1 Network LSAs
10 Summary LSAs
Externals:
6 Extern LSAs
Interface ge-0/0/1.0:
Area 0.0.0.0:
Interface ge-0/0/2.0:
www.juniper.net Configuring and Monitoring OSPF Areas and Route Summarization (Detailed) • Lab 2–5
Advanced Junos Enterprise Routing
Area 0.0.0.0:
Interface ge-0/0/4.111:
Area 0.0.0.1:
Interface ge-0/0/4.151:
Area 0.0.0.3:
Interface lo0.0:
Area 0.0.0.0:
Step 1.9
Convert your stub area to a totally stubby area using the no-summaries option
and activate your changes.
[edit protocols ospf]
lab@srxA-1# set area area stub no-summaries
Lab 2–6 • Configuring and Monitoring OSPF Areas and Route Summarization (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
interface ge-0/0/4.151;
www.juniper.net Configuring and Monitoring OSPF Areas and Route Summarization (Detailed) • Lab 2–7
Advanced Junos Enterprise Routing
Question: Why are there no summary LSAs?
Step 1.11
Configure the router to inject a default route into the stub area by using the
default-metric option. Give this route a metric of 10 and activate your
changes.
[edit protocols ospf]
lab@srxA-1# set area area stub default-metric 10
Lab 2–8 • Configuring and Monitoring OSPF Areas and Route Summarization (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
OSPF database, Area 0.0.0.3
Type ID Adv Rtr Seq Age Opt Cksum Len
Router *192.168.1.1 192.168.1.1 0x80000007 64 0x20 0xf29f 36
Router 192.168.3.2 192.168.3.2 0x80000009 298 0x20 0xe923 48
Network 172.20.151.10 192.168.3.2 0x80000003 298 0x20 0xf39b 32
Summary *0.0.0.0 192.168.1.1 0x80000001 64 0x20 0xf2d6 28
OSPF AS SCOPE link state database
Type ID Adv Rtr Seq Age Opt Cksum Len
Extern 172.21.0.0 192.168.1.2 0x8000007b 1519 0x22 0x2bde 36
Extern 172.21.1.0 192.168.1.2 0x8000007b 931 0x22 0x20e8 36
Extern 172.21.2.0 192.168.1.2 0x8000007b 342 0x22 0x15f2 36
Extern 172.22.0.0 192.168.2.2 0x8000007c 54 0x22 0x16f0 36
Extern 172.22.1.0 192.168.2.2 0x8000007b 1311 0x22 0xdf9 36
Extern 172.22.2.0 192.168.2.2 0x8000007b 741 0x22 0x204 36
In this lab part, you configure an NSSA and perform route summarization on it. For
the remainder of this lab, please refer to the lab diagram titled “Lab 2 (NSSA Area):
Configuring and Monitoring OSPF Areas and Route Summarization.”
Step 2.1
Refer to the network diagram and configure the IP address on the ge-0/0/4.unit
interface for the NSSA area on your assigned device. Use the logical unit value as
the VLAN-ID value for this interface.
[edit protocols ospf]
lab@srxA-1# top edit interfaces ge-0/0/4
www.juniper.net Configuring and Monitoring OSPF Areas and Route Summarization (Detailed) • Lab 2–9
Advanced Junos Enterprise Routing
address 172.20.111.1/24;
}
}
unit 151 {
vlan-id 151;
family inet {
address 172.20.151.1/24;
}
}
unit 161 {
vlan-id 161;
family inet {
address 172.20.161.0/24;
}
}
Lab 2–10 • Configuring and Monitoring OSPF Areas and Route Summarization (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
Address Interface State ID Pri Dead
172.20.77.2 ge-0/0/1.0 Full 192.168.2.1 128 33
172.20.66.2 ge-0/0/2.0 Full 192.168.2.1 128 33
172.20.111.10 ge-0/0/4.111 Full 192.168.1.2 128 39
172.20.151.10 ge-0/0/4.151 Full 192.168.3.2 128 36
172.20.161.10 ge-0/0/4.161 Full 192.168.5.2 128 34
Step 2.4
Issue the run show ospf interface ge-0/0/4.unit detail command
to verify this interface is set as an NSSA interface.
[edit protocols ospf]
lab@srxA-1# run show ospf interface ge-0/0/4.unit detail
Interface State Area DR ID BDR ID Nbrs
ge-0/0/4.161 BDR 0.0.0.5 192.168.5.2 192.168.1.1 1
Type: LAN, Address: 172.20.161.1, Mask: 255.255.255.0, MTU: 1500, Cost: 10
DR addr: 172.20.161.10, BDR addr: 172.20.161.1, Priority: 128
Adj count: 1
Hello: 10, Dead: 40, ReXmit: 5, Stub NSSA
Auth type: None
Protection type: None
Topology default (ID 0) -> Cost: 10
Note
Before proceeding, ensure that the remote
team in your pod finishes the previous step.
www.juniper.net Configuring and Monitoring OSPF Areas and Route Summarization (Detailed) • Lab 2–11
Advanced Junos Enterprise Routing
Step 2.5
Issue the run show ospf database area area summary and run show
ospf database area area nssa commands to see how many and what types
of LSAs are contained in the OSPF database for your NSSA area.
[edit protocols ospf]
lab@srxA-1# run show ospf database area area summary
Area 0.0.0.5:
2 Router LSAs
1 Network LSAs
13 Summary LSAs
4 NSSA LSAs
Externals:
14 Extern LSAs
Interface ge-0/0/1.0:
Area 0.0.0.0:
Interface ge-0/0/2.0:
Area 0.0.0.0:
Interface ge-0/0/4.111:
Area 0.0.0.1:
Interface ge-0/0/4.151:
Area 0.0.0.3:
Interface ge-0/0/4.161:
Area 0.0.0.5:
Interface lo0.0:
Area 0.0.0.0:
Step 2.6
Issue the run show ospf database external command to see external
LSAs contained in the OSPF database.
[edit protocols ospf]
lab@srxA-1# run show ospf database external
Lab 2–12 • Configuring and Monitoring OSPF Areas and Route Summarization (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
OSPF AS SCOPE link state database
Type ID Adv Rtr Seq Age Opt Cksum Len
Extern 172.21.0.0 192.168.1.2 0x8000007b 1941 0x22 0x2bde 36
Extern 172.21.1.0 192.168.1.2 0x8000007b 1353 0x22 0x20e8 36
Extern 172.21.2.0 192.168.1.2 0x8000007b 764 0x22 0x15f2 36
Extern 172.22.0.0 192.168.2.2 0x8000007c 476 0x22 0x16f0 36
Extern 172.22.1.0 192.168.2.2 0x8000007b 1733 0x22 0xdf9 36
Extern 172.22.2.0 192.168.2.2 0x8000007b 1163 0x22 0x204 36
Extern *172.61.0.0 192.168.1.1 0x80000001 165 0x22 0x628e 36
Extern *172.61.1.0 192.168.1.1 0x80000001 165 0x22 0x5798 36
Extern *172.61.2.0 192.168.1.1 0x80000001 165 0x22 0x4ca2 36
Extern *172.61.3.0 192.168.1.1 0x80000001 165 0x22 0x41ac 36
Extern 172.62.0.0 192.168.2.1 0x80000001 203 0x22 0x5c91 36
Extern 172.62.1.0 192.168.2.1 0x80000001 203 0x22 0x519b 36
Extern 172.62.2.0 192.168.2.1 0x80000001 203 0x22 0x46a5 36
Extern 172.62.3.0 192.168.2.1 0x80000001 203 0x22 0x3baf 36
Step 2.7
Each of the external NSSA destinations is represented by a /24 network. Choose
one of the remote team’s destinations and issue a run show route
destination command for that destination.
[edit protocols ospf]
lab@srxA-1# run show route destination
www.juniper.net Configuring and Monitoring OSPF Areas and Route Summarization (Detailed) • Lab 2–13
Advanced Junos Enterprise Routing
Step 2.8
You will now summarize your four networks into one /22 network using the
area-range option. Ensure you set this command within the [edit protocols
ospf area area nssa] hierarchy of the configuration. Commit your changes
when completed and exit to operational mode.
[edit protocols ospf]
lab@srxA-1# set area area nssa area-range summary-address/22
lab@srxA-1>
Note
Before proceeding, ensure that the remote
team in your pod finishes the previous step.
Step 2.9
Issue the show ospf database external command to view the external LSAs
present in the OSPF database.
lab@srxA-1> show ospf database external
OSPF AS SCOPE link state database
Type ID Adv Rtr Seq Age Opt Cksum Len
Extern 172.21.0.0 192.168.1.2 0x8000007b 2294 0x22 0x2bde 36
Extern 172.21.1.0 192.168.1.2 0x8000007b 1706 0x22 0x20e8 36
Extern 172.21.2.0 192.168.1.2 0x8000007b 1117 0x22 0x15f2 36
Extern 172.22.0.0 192.168.2.2 0x8000007c 829 0x22 0x16f0 36
Extern 172.22.1.0 192.168.2.2 0x8000007c 251 0x22 0xbfa 36
Extern 172.22.2.0 192.168.2.2 0x8000007b 1516 0x22 0x204 36
Extern *172.61.0.0 192.168.1.1 0x80000002 46 0x22 0x3d21 36
Extern 172.62.0.0 192.168.2.1 0x80000002 30 0x22 0x2a32 36
Lab 2–14 • Configuring and Monitoring OSPF Areas and Route Summarization (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
Question: Were the changes successful? How can
you tell?
Step 2.10
Choose one of the remote team’s destinations and issue a show route
destination command for that destination to verify the router is using the /22
summary route instead of the original /24 route.
lab@srxA-1> show route destination
www.juniper.net Configuring and Monitoring OSPF Areas and Route Summarization (Detailed) • Lab 2–15
Advanced Junos Enterprise Routing
Lab 2–16 • Configuring and Monitoring OSPF Areas and Route Summarization (Detailed) www.juniper.net
Lab 3
Configuring and Monitoring Routing Policy and Advanced
OSPF Options (Detailed)
Overview
In this lab, you will use the lab diagram titled “Lab 3: Configuring and Monitoring Routing
Policy and Advanced OSPF Options” to establish a multiarea OSPF routing domain. This
lab will require the configuration of a virtual link as backup to the backbone connection
and a multiarea adjacency as outlined in RFC 5185. The final part of this lab will require
routing policy to redistribute and advertise routes being received from a RIP network into
OSPF external link-state advertisements (LSAs).
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
• Load the default configuration.
• Establish multiple OSPF adjacencies.
• Configure and verify a virtual link.
• Configure and verify a OSPF multiarea adjacency.
• Establish a RIP neighbor peer session.
• Write a routing policy to advertise a default route into RIP.
• Configure prefix-limits in OSPF to prevent excessive external routes.
• Write a routing policy to advertise a RIP summary route into OSPF.
• Write an OSPF import policy to prevent less than optimal routing.
www.juniper.net Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) • Lab 3–1
11.a.11.4R1.6
Advanced Junos Enterprise Routing
In this lab part, you load the reset configuration for this lab and then establish the
OSPF adjacencies. The virtual router device (vr-device) will provide connectivity for
all three OSPF areas between your student device and your partners.
Note
The instructor will tell you the nature of your
access and will provide you with the
necessary details to access your assigned
device.
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the management network diagram to
determine the management address of your student device.
Step 1.2
Access the CLI on your student device using either the console, Telnet, or SSH as
directed by your instructor. Refer to the management network diagram for the IP
address associated with your student device. The following example uses a simple
Telnet access to srxA-1 with the Secure CRT program as a basis:
Lab 3–2 • Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
Step 1.3
Log in to the student device with the username lab using a password of lab123.
Note that both the name and password are case-sensitive. Enter configuration mode
and load the reset configuration file using the
load override /var/home/lab/ajer/lab3-start.config command.
After the configuration has been loaded, commit the changes before proceeding.
srxA-1 (ttyu0)
login: lab
Password:
[edit]
lab@srxA-1# load override ajer/lab3-start.config
load complete
[edit]
lab@srxA-1# commit
commit complete
Step 1.4
Navigate to the [edit protocols ospf] hierarchy. Establish the OSPF
adjacencies with the P1, P2, and R3 routers attached to your student device.
Configure OSPF Area 10 as a not-so-stubby area (NSSA) and advertise a default
route with a metric of 10. Do not forget the loopback address in Area 0. Commit the
configuration when complete.
[edit]
lab@srxA-1# edit protocols ospf
www.juniper.net Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) • Lab 3–3
Advanced Junos Enterprise Routing
[edit protocols ospf]
lab@srxA-1# commit
commit complete
Step 1.6
Use the run show ospf neighbor command to verify the establishment of the
OSPF adjacencies.
[edit protocols ospf]
lab@srxA-1# run show ospf neighbor
Address Interface State ID Pri Dead
172.22.121.2 ge-0/0/4.1211 Full 192.168.100.1 128 33
10.0.10.2 ge-0/0/14.0 Full 192.168.1.2 128 37
172.22.123.2 ge-0/0/4.1213 Full 192.168.101.1 128 35
Step 1.7
Verify that the routing table has connectivity to all devices in the OSPF domain. Use
the run show route protocol ospf table inet.0 | match /32
command to display only the host addresses.
Lab 3–4 • Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
[edit protocols ospf]
lab@srxA-1# run show route protocol ospf table inet.0 | match /32
192.168.1.2/32 *[OSPF/10] 00:03:07, metric 1
192.168.2.1/32 *[OSPF/10] 00:02:22, metric 2
192.168.2.2/32 *[OSPF/10] 00:03:07, metric 3
192.168.100.1/32 *[OSPF/10] 00:02:57, metric 1
192.168.101.1/32 *[OSPF/10] 00:02:57, metric 1
192.168.102.1/32 *[OSPF/10] 00:03:07, metric 2
224.0.0.5/32 *[OSPF/10] 00:03:12, metric 1
Step 1.8
Navigate to the [edit protocols ospf area 0.0.0.0] hierarchy. Create a
virtual link in OSPF Area 0 through Area 20 using the OSPF virtual-link
command. The virtual-link neighbor-id is the loopback address of your
partner’s student device. The virtual link should be used only as a backup in the
event of an P1 failure. This can be accomplished by setting the P2 interface in Area
20 to a metric of 10. Commit this configuration when completed.
[edit protocols ospf]
lab@srxA-1# edit area 0
www.juniper.net Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) • Lab 3–5
Advanced Junos Enterprise Routing
Interface State Area DR ID BDR ID Nbrs
ge-0/0/4.1211 BDR 0.0.0.0 192.168.100.1 192.168.1.1 1
lo0.0 DR 0.0.0.0 192.168.1.1 0.0.0.0 0
vl-192.168.2.1 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 1
ge-0/0/14.0 BDR 0.0.0.10 192.168.1.2 192.168.1.1 1
ge-0/0/4.1213 BDR 0.0.0.20 192.168.101.1 192.168.1.1 1
Step 1.10
Use the run show ospf neighbor command to verify that the virtual link has
established an adjacency.
[edit protocols ospf]
lab@srxA-1# run show ospf neighbor
Address Interface State ID Pri Dead
172.22.121.2 ge-0/0/4.1211 Full 192.168.100.1 128 33
172.22.124.1 vl-192.168.2.1 Full 192.168.2.1 0 34
10.0.10.2 ge-0/0/14.0 Full 192.168.1.2 128 35
172.22.123.2 ge-0/0/4.1213 Full 192.168.101.1 128 34
Step 1.11
Use the run show route address/32 table inet.0 command to verify
that your partner’s default loopback address routes through the P1 router and not
through the virtual link. Refer to the network diagram as needed.
[edit protocols ospf]
lab@srxA-1# run show route address/32 table inet.0
Lab 3–6 • Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
Question: Does the route to your partner’s loopback
address go through the P1 router or the virtual link?
In this lab part, you configure an OSPF multiarea adjacency to provide an alternate
path for OSPF Area 10.
Step 2.1
Navigate to the [edit protocols ospf area 0.0.0.10] hierarchy and
establish an OSPF Area 10 adjacency through the P1 router. You will add the P1
interface to Area 10 with the secondary setting. This will provide a backup path for
Area 10 in the event of a P3 failure. Ensure that this backup path is only used in the
event of a P3 failure. This can be accomplished by setting the newly configured
interface with a higher metric. Commit these changes when completed.
[edit protocols ospf]
lab@srxA-1# edit area 10
www.juniper.net Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) • Lab 3–7
Advanced Junos Enterprise Routing
Question: Area 10 now has two interfaces in it.
What is the state for the interface you just added to
Area 10? Why?
Step 2.3
Use the run show ospf neighbor command to verify the establishment of an
OSPF Area 10 adjacency through the P1 router.
[edit protocols ospf area 0.0.0.10]
lab@srxA-1# run show ospf neighbor
Address Interface State ID Pri Dead
172.22.121.2 ge-0/0/4.1211 Full 192.168.100.1 128 33
Area 0.0.0.0
172.22.124.1 vl-192.168.2.1 Full 192.168.2.1 0 35
Area 0.0.0.0
10.0.10.2 ge-0/0/14.0 Full 192.168.1.2 128 31
Area 0.0.0.10
172.22.121.2 ge-0/0/4.1211 Full 192.168.100.1 128 32
Area 0.0.0.10
172.22.123.2 ge-0/0/4.1213 Full 192.168.101.1 128 39
Area 0.0.0.20
Step 2.4
Verify that the loopback address of your partner’s R3 virtual router is being routed
through the ge-0/0/14.0 interface toward your R3 virtual router. Use the run show
route address/32 table inet.0 command to display the path of the route.
[edit protocols ospf area 0.0.0.10]
lab@srxA-1# run show route address/32 table inet.0
Lab 3–8 • Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
Question: What is the primary path to your partner’s
virtual router’s loopback address?
Step 2.5
Navigate to the [edit routing-instances instance-name protocols
ospf] hierarchy. The value of instance-name is the name of your remote virtual
router (either R3-1 or R3-2) depending on your assigned student device. Deactivate
your R3 virtual router’s Area 10 interface connected to the P3 router. Commit the
configuration when completed.
[edit protocols ospf area 0.0.0.10]
lab@srxA-1# top edit routing-instances instance-name protocols ospf
www.juniper.net Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) • Lab 3–9
Advanced Junos Enterprise Routing
Question: Did the route converge through the
multiarea adjacency?
Step 2.7
Navigate to the top of the configuration hierarchy. Use the rollback 1 command
to reactivate the interface between your R3 virtual router and the P3 router. Commit
the configuration when complete.
[edit routing-instances R3-1 protocols ospf]
lab@srxA-1# top
[edit]
lab@srxA-1# rollback 1
load complete
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
Step 2.8
Verify that OSPF converged back to the primary path by displaying your partner’s
loopback address using the run show route address/32 table inet.0
command.
[edit]
lab@srxA-1# run show route address/32 table inet.0
Lab 3–10 • Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
In this lab part, you configure an external connection from the R3 routing instance to
a RIP network. Once established, the RIP routes will be redistributed into OSPF.
Note
In this lab part, you will be configuring and
displaying commands in the virtual routing
instance. When referencing the routing
instance, the commands will include the
routing instance name, R3-N, where N is
the user number (1 or 2). Refer to the lab
diagram for the correct user number to use.
Step 3.1
Navigate to the [edit routing-instances instance-name] hierarchy.
Remove the R3-to-P3 interface from OSPF Area 10 and reconfigure that interface as
a RIP interface. Use a RIP group name of P3. Commit the configuration when
complete.
[edit]
lab@srxA-1# edit routing-instances instance-name
www.juniper.net Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) • Lab 3–11
Advanced Junos Enterprise Routing
20.20.0.0/21 *[RIP/100] 00:00:40, metric 2, tag 0
> to 172.22.125.2 via ge-0/0/4.1215
20.20.0.0/24 *[RIP/100] 00:00:40, metric 2, tag 0
> to 172.22.125.2 via ge-0/0/4.1215
20.20.1.0/24 *[RIP/100] 00:00:40, metric 2, tag 0
> to 172.22.125.2 via ge-0/0/4.1215
20.20.2.0/24 *[RIP/100] 00:00:40, metric 2, tag 0
> to 172.22.125.2 via ge-0/0/4.1215
20.20.3.0/24 *[RIP/100] 00:00:40, metric 2, tag 0
> to 172.22.125.2 via ge-0/0/4.1215
20.20.4.0/25 *[RIP/100] 00:00:40, metric 2, tag 0
> to 172.22.125.2 via ge-0/0/4.1215
20.20.4.128/25 *[RIP/100] 00:00:40, metric 2, tag 0
> to 172.22.125.2 via ge-0/0/4.1215
20.20.5.0/26 *[RIP/100] 00:00:40, metric 2, tag 0
> to 172.22.125.2 via ge-0/0/4.1215
20.20.5.64/26 *[RIP/100] 00:00:40, metric 2, tag 0
> to 172.22.125.2 via ge-0/0/4.1215
20.20.5.128/26 *[RIP/100] 00:00:40, metric 2, tag 0
> to 172.22.125.2 via ge-0/0/4.1215
20.20.5.192/26 *[RIP/100] 00:00:40, metric 2, tag 0
> to 172.22.125.2 via ge-0/0/4.1215
Step 3.3
Use the run show route 0/0 exact table instance-name command to
verify your R3 virtual router has an OSPF default route that routes toward your
assigned student device.
[edit routing-instances R3-1]
lab@srxA-1# run show route 0/0 exact table instance-name
Lab 3–12 • Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
[edit policy-options policy-statement export-default]
lab@srxA-1# set term 1 from protocol ospf
Note
The next two steps must be coordinated
with your remote team partners.
Step 3.5
This step is to be performed by Team 1 only. Team 2 will perform the same step after
waiting two minutes from the time of this commit.
Navigate to the [edit routing-instances instance-name] hierarchy.
Apply the policy as an export policy in the P3 RIP group configured previously.
Commit the configuration when complete.
[edit policy-options policy-statement export-default]
lab@srxA-1# top edit routing-instances instance-name
www.juniper.net Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) • Lab 3–13
Advanced Junos Enterprise Routing
Navigate to the [edit routing-instances instance-name] hierarchy.
Apply the policy as an export policy in the P3 RIP group configured previously.
Commit the configuration when complete.
[edit policy-options policy-statement export-default]
lab@srxA-2# top edit routing-instances instance-name
Note
The output from both routers is shown in
the following capture.
..........................................................................
[blank output]
Lab 3–14 • Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
Question: Is the default route being advertised to
R3?
Step 3.8
Display the default route in the R3 routing table using the run show route 0/0
exact table instance-name command.
Note
The output from both routers is shown in
the following capture.
..........................................................................
www.juniper.net Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) • Lab 3–15
Advanced Junos Enterprise Routing
Question: What is the active protocol for the default
route?
Step 3.9
Using the external-preference option, set the external preference of OSPF to
90 (which is less than the RIP preference of 100) for the R3 virtual router. Commit
the changes when complete.
[edit routing-instances R3-1]
lab@srxA-1# set protocols ospf external-preference 90
Note
The output from both routers is shown in
the following capture.
..........................................................................
Lab 3–16 • Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
R3-2.inet.0: 29 destinations, 29 routes (29 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
Step 3.11
Navigate to the [edit policy-options policy-statement
import-rip-route] hierarchy. Create a policy to accept only the 20.20.0.0/21
RIP summary route from the P3 RIP router.
[edit routing-instances R3-1]
lab@srxA-1# top edit policy-options policy-statement import-rip-route
www.juniper.net Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) • Lab 3–17
Advanced Junos Enterprise Routing
route-filter 20.20.0.0/21 longer;
}
then reject;
}
Lab 3–18 • Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
Step 3.14
Navigate to the [edit policy-options policy-statement
export-rip-route] hierarchy. Create a routing policy to redistribute the RIP
summary route into OSPF. Do not commit the configuration at this time.
[edit routing-instances R3-1]
lab@srxA-1# top edit policy-options policy-statement export-rip-route
www.juniper.net Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) • Lab 3–19
Advanced Junos Enterprise Routing
Navigate to the [edit routing-instances instance-name] hierarchy.
Before applying the policy as an OSPF export policy, protect the network from
unnecessary routes by configuring a prefix export limit of 1 using the
prefix-export-limit command within protocols ospf. Commit the
configuration when complete.
[edit policy-options policy-statement export-rip-route]
lab@srxA-2# top edit routing-instances instance-name
Note
The output from both routers is shown in
the following capture.
...........................................................................
Lab 3–20 • Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
Question: What could be causing the suboptimal
path to the RIP network?
Step 3.18
Examine the OSPF Type 7 LSA to Type 5 LSA conversion between the OSPF NSSA
area and the OSPF backbone area. Use the run show ospf database area
10 nssa detail command to display the Type 7 LSAs and the run show ospf
database external detail command to display the Type 5 LSA.
[edit routing-instances R3-1]
lab@srxA-1# run show ospf database area 10 nssa detail
www.juniper.net Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) • Lab 3–21
Advanced Junos Enterprise Routing
Question: Which router created the Type 7 LSA for
the 20.20.0.0 prefix? Which ABR created the Type 5
external LSA for the 20.20.0.0 prefix? Why?
Step 3.19
Navigate to the [edit policy-options policy-statement
ospf-import] hierarchy. Create an OSPF import policy to block the RIP summary
route from being installed in the routing table from OSPF.
[edit routing-instances R3-1]
lab@srxA-1# top edit policy-options policy-statement ospf-import
Lab 3–22 • Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
lab@srxA-1>
Step 3.21
Verify that the OSPF import policy is working and that optimal routing is being
performed to the RIP network by using the traceroute 20.20.1.1
routing-instance instance-name command.
lab@srxA-1> traceroute 20.20.1.1 routing-instance instance-name
traceroute to 20.20.1.1 (20.20.1.1), 30 hops max, 40 byte packets
1 172.22.125.2 (172.22.125.2) 1.539 ms !N 1.358 ms !N 7.054 ms !N
Step 3.22
Log out of your assigned device using the exit command.
lab@srxA-1> exit
www.juniper.net Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) • Lab 3–23
Advanced Junos Enterprise Routing
Lab 3–24 • Configuring and Monitoring Routing Policy and Advanced OSPF Options (Detailed) www.juniper.net
Lab 4
Implementing BGP (Detailed)
Overview
In this lab, you will use the Lab 4 network diagrams to establish a BGP network. After
verifying the baseline OSPF topology, a full mesh of internal BGP (IBGP) sessions must be
established between all routers in your autonomous system (AS), AS 64700. The EBGP
neighboring routers are in AS 65510 and AS 65520. You will establish EBGP peering
sessions with the locally connected provider edge (PE) routers.
This lab will require the configuration of both IBGP and EBGP peering sessions.
The lab is available in two formats: a high-level format designed to make you think through
each step, and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
• Load a baseline configuration.
• Verify OSPF neighbor relationships and Internet reachability.
• Establish IBGP peering sessions.
• Establish EBGP peering sessions with multipath.
• Use policy to summarize IBGP routes.
• Establish an EBGP peering session with multihop.
In this lab part, you load a baseline configuration that will automatically set up your
router according to the lab diagram labeled “Lab 4: Implementing BGP—Part 1.”
Next, you verify router-to-router connectivity and OSPF operations using the
command-line interface (CLI).
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the management network diagram to
determine the management address of your student device.
Step 1.2
Access the CLI on your student device using either the console, Telnet, or SSH as
directed by your instructor. Refer to the management network diagram for the IP
address associated with your student device. The following example uses a simple
Telnet access to srxA-1 with the Secure CRT program as a basis:
Step 1.3
Log in to the student device with the username lab using a password of lab123.
Note that both the name and password are case-sensitive. Enter configuration mode
and load the reset configuration file using the
load override /var/home/lab/ajer/lab4-start.config command.
After the configuration has been loaded, commit the changes before proceeding.
login: lab
Password:
[edit]
lab@srxA-1# load override ajer/lab4-start.config
load complete
[edit]
lab@srxA-1# commit
commit complete
Step 1.4
Use the run ping address rapid command to ping the far-end IP address of
each of the five interfaces attached to your student device. This action verifies that
each interface has been configured properly. Refer to your network diagram as
needed.
[edit]
lab@srxA-1# run ping address rapid
PING 172.18.1.1 (172.18.1.1): 56 data bytes
!!!!!
--- 172.18.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.581/2.595/5.961/1.693 ms
[edit]
lab@srxA-1# run ping address rapid
PING 172.18.11.1 (172.18.11.1): 56 data bytes
!!!!!
--- 172.18.11.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.364/1.555/1.838/0.175 ms
[edit]
lab@srxA-1# run ping address rapid
PING 172.20.66.2 (172.20.66.2): 56 data bytes
!!!!!
--- 172.20.66.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.343/4.010/7.581/2.777 ms
[edit]
lab@srxA-1# run ping address rapid
PING 172.20.77.2 (172.20.77.2): 56 data bytes
!!!!!
--- 172.20.77.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.155/1.348/1.948/0.301 ms
Step 1.5
Use the run show ospf interface and run show ospf neighbor
commands to confirm that OSPF has been configured properly and that adjacencies
have been established between neighboring routers.
[edit]
lab@srxA-1# run show ospf interface
Interface State Area DR ID BDR ID Nbrs
ge-0/0/1.0 BDR 0.0.0.0 192.168.2.1 192.168.1.1 1
ge-0/0/2.0 BDR 0.0.0.0 192.168.2.1 192.168.1.1 1
ge-0/0/3.0 DRother 0.0.0.0 0.0.0.0 0.0.0.0 0
ge-0/0/4.1121 DRother 0.0.0.0 0.0.0.0 0.0.0.0 0
lo0.0 DR 0.0.0.0 192.168.1.1 0.0.0.0 0
ge-0/0/4.111 BDR 0.0.0.1 192.168.1.2 192.168.1.1 1
[edit]
lab@srxA-1# run show ospf neighbor
Address Interface State ID Pri Dead
172.20.77.2 ge-0/0/1.0 Full 192.168.2.1 128 36
172.20.66.2 ge-0/0/2.0 Full 192.168.2.1 128 38
172.20.111.10 ge-0/0/4.111 Full 192.168.1.2 128 32
In this lab part, you use the lab diagram called “Lab 4: Implementing BGP—
Parts 2–4” to configure and monitor IBGP. You first define the AS number for your
device. Next, you establish IBGP peering sessions using loopback addresses. You
then monitor the established IBGP peering sessions using CLI operational mode
commands.
Step 2.1
Navigate to the [edit routing-options] hierarchy. Define the AS number
designated for your network. Refer to the network diagram for this lab as necessary.
[edit]
lab@srxA-1# edit routing-options
[edit routing-options]
lab@srxA-1# set autonomous-system 64700
[edit routing-options]
lab@srxA-1#
Step 2.2
Navigate to the [edit protocols bgp] hierarchy. Configure an IBGP group
named my-int-group that includes the three devices within your assigned
network as IBGP peers. Use the loopback address assigned to your device as the
local-address and the remote loopback addresses of the other three devices
within your AS number as the neighbor addresses. When you are satisfied with
the newly defined BGP configuration, issue the commit command to activate the
changes.
[edit routing-options]
lab@srxA-1# top edit protocols bgp
Note
Before proceeding, ensure that the remote
student team in your pod finishes the
previous step.
Step 2.3
Issue the run show bgp summary command to view the current BGP summary
information for your device.
[edit protocols bgp]
lab@srxA-1# run show bgp summary
Groups: 1 Peers: 3 Down peers: 0
Step 2.4
Issue the run show route receive-protocol bgp peer-address
command, where peer-address is the loopback address of each IBGP peer.
[edit protocols bgp]
lab@srxA-1# run show route receive-protocol bgp peer-address
In this lab part, you configure and monitor EBGP. You first establish an EBGP peering
session with your external peers. You then advertise aggregate routes to your EBGP
peer to represent the prefixes reachable from your AS. Finally, you monitor the
established EBGP peering sessions using CLI operational mode commands.
Step 3.1
Refer to the network diagram for this lab and configure two EBGP peering sessions
with the connected AS. Name the associated EBGP group my-ext-group. Once
configured, activate the configuration changes using the commit command.
[edit protocols bgp]
lab@srxA-1# set group my-ext-group type external
Note
Before proceeding, ensure the remote
student team in your pod has finished the
previous step.
STOP Do not proceed until the remote team finishes the previous step.
Step 3.2
Issue the run show bgp summary command to view the current BGP summary
information.
[edit protocols bgp]
lab@srxA-1# run show bgp summary
Groups: 2 Peers: 5 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 36 10 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.18.1.1 65510 12 9 0 0 3:03 10/
10/10/0 0/0/0/0
172.18.11.1 65510 11 8 0 0 2:59 0/
10/10/0 0/0/0/0
192.168.1.2 64700 28 34 0 0 12:38 0/
3/3/0 0/0/0/0
192.168.2.1 64700 31 29 0 0 10:58 0/
10/10/0 0/0/0/0
192.168.2.2 64700 28 33 0 0 12:30 0/
3/3/0 0/0/0/0
Step 3.3
View all of the routes received from the EBGP peers by issuing the run show
route aspath-regex "peer-as .*" command.
[edit protocols bgp]
lab@srxA-1# run show route aspath-regex "peer-as .*"
Step 3.4
Use the run show route 0/0 exact extensive command to look at the
default route received from each EBGP peer to determine why your router is
choosing one of the routes over the other.
[edit protocols bgp]
lab@srxA-1# run show route 0/0 exact extensive
Step 3.5
Issue the run show route advertising-protocol bgp peer-address
command, where peer-address is the IP address value assigned to each of your
EBGP peers.
[edit protocols bgp]
lab@srxA-1# run show route advertising-protocol bgp peer-address
Step 3.8
Navigate to the [edit routing-options] hierarchy and define aggregate
routes that represent the internal prefixes that are part of your AS. You will need to
summarize the 172.21.y.0/24, 172.22.y.0/24, 192.168.y.z/32 prefixes.
[edit protocols bgp]
lab@srxA-1# top edit routing-options
[edit routing-options]
lab@srxA-1# set aggregate route 172.21.0.0/22
[edit routing-options]
lab@srxA-1# set aggregate route 172.22.0.0/22
[edit routing-options]
lab@srxA-1# set aggregate route 192.168.1.0/30
[edit routing-options]
lab@srxA-1# set aggregate route 192.168.2.0/30
[edit routing-options]
lab@srxA-1# show aggregate
route 172.21.0.0/22;
route 172.22.0.0/22;
route 192.168.1.0/30;
route 192.168.2.0/30;
[edit routing-options]
lab@srxA-1#
Step 3.9
Navigate to the [edit policy-options] hierarchy and define a new policy
named adv-aggregates that includes two terms. Name the first term
match-aggregate-routes. It should match and accept the aggregate routes.
Ensure that you match the aggregate protocol. Name the second term
deny-other. It should reject all other routes.
[edit policy-options]
lab@srxA-1# edit policy-statement adv-aggregates
In this lab part, you configure BGP multipath so that your router load-balances
egress traffic to both of your router’s EBGP peers.
Step 4.1
Use the run show route received-protocol bgp peer-address
command to view the routes being received from the two EBGP peers. Refer to the
network diagram for this lab as necessary.
[edit protocols bgp]
lab@srxA-1# run show route receive-protocol bgp peer-address
Step 4.2
Display the 172.28.102.0/24 route using the run show route
172.28.102.0/24 detail command.
[edit protocols bgp]
lab@srxA-1# run show route 172.28.102.0/24 detail
Step 4.3
Use the BGP multipath option to install the EBGP routes with two equal cost
paths. Configure multipath in the my-ext-group BGP group. Commit your
configuration when complete.
[edit protocols bgp]
lab@srxA-1# set group my-ext-group multipath
Step 4.5
Use the run show route forwarding-table destination
172.28.102.0/24 command to view the packet forwarding table.
[edit protocols bgp]
lab@srxA-1# run show route forwarding-table destination 172.28.102.0/24
Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
172.28.102.0/24 user 0 172.18.11.1 ucst 548 7 ge-0/0/4.1121
Step 4.6
Navigate to the [edit policy-options policy-statement
pfe-load-balance] hierarchy. Under the pfe-load-balance policy, create a
term that only load-balances all BGP routes.
[edit protocols bgp]
lab@srxA-1# top edit policy-options policy-statement pfe-load-balance
Step 4.7
After configuring the pfe-load-balance policy, apply it as an export policy under
the [edit routing-options forwarding-table] hierarchy. Commit the
changes.
[edit policy-options policy-statement pfe-load-balance]
lab@srxA-1# top edit routing-options forwarding-table
In this lab part, you remove the peering sessions to the two EBGP peers. In their
place, you configure a single BGP multihop session so that your router
load-balances egress traffic across multiple interfaces to a single EBGP peer. Use
the lab diagram called “Lab 4: Implementing BGP—Part 5” for this part of the lab.
Step 5.1
Navigate to the [edit protocols bgp] hierarchy. Delete the two EBGP peers
configured under the my-ext-group BGP group. Make sure to also delete the
multipath statement.
[edit routing-options forwarding-table]
lab@srxA-1# top edit protocols bgp
[edit routing-options]
lab@srxA-1# set static route PE-loopback-address/32 next-hop interface-address
[edit routing-options]
lab@srxA-1# set static route PE-loopback-address/32 next-hop interface-address
[edit routing-options]
lab@srxA-1# set static route PE-loopback-address/32 no-readvertise
[edit routing-options]
lab@srxA-1# show static
route 172.31.15.11/32 {
next-hop [ 172.18.1.1 172.18.11.1 ];
no-readvertise;
}
[edit routing-options]
lab@srxA-1# commit
commit complete
[edit routing-options]
lab@srxA-1#
Step 5.3
Attempt to ping the loopback address of your PE router. Be sure to source the ping
from the loopback of your student device.
[edit routing-options]
lab@srxA-1# run ping PE-loopback-address source local-loopback-address rapid
PING 172.31.15.11 (172.31.15.11): 56 data bytes
!!!!!
--- 172.31.15.11 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.697/3.023/7.580/2.283 ms
Step 5.4
Navigate to the [edit protocols bgp] hierarchy. Configure a single EBGP
neighbor under the my-ext-group BGP group using the loopback address of the
PE router as the neighbor and your own router’s loopback address as the
local-address. Commit your configuration when complete.
[edit routing-options]
lab@srxA-1# top edit protocols bgp
Step 5.5
Check the state of the EBGP session using the run show bgp summary
command.
www.juniper.net Implementing BGP (Detailed) • Lab 4–29
Advanced Junos Enterprise Routing
[edit protocols bgp]
lab@srxA-1# run show bgp summary
Groups: 2 Peers: 4 Down peers: 1
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 6 0 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.31.15.11 65510 0 0 0 0 9 Idle
192.168.1.2 64700 100 109 0 0 46:12 0/
3/3/0 0/0/0/0
192.168.2.1 64700 105 104 0 0 44:32 0/
0/0/0 0/0/0/0
192.168.2.2 64700 100 107 0 0 46:04 0/
3/3/0 0/0/0/0
Step 5.6
To relax the EBGP requirement of physical interface peering and make it possible to
EBGP peer between loopback addresses, apply the multihop statement to the
my-ext-group BGP group. Commit your configuration when complete.
[edit protocols bgp]
lab@srxA-1# set group my-ext-group multihop
Step 5.8
Now that the EBGP peering session is established, use the run show route
receive-protocol bgp PE-loopback-address command to view the
routes being received from the P3 router.
[edit protocols bgp]
lab@srxA-1# run show route receive-protocol bgp PE-loopback-address
Step 5.9
Display the 172.28.102.0/24 route using the run show route
172.28.102.0/24 detail active-path command.
Step 5.10
Use the run show route forwarding-table destination
172.28.102.0/24 command to verify that the forwarding table now has two
next-hop interfaces for the 172.28.102.0/24 route.
[edit protocols bgp]
lab@srxA-1# run show route forwarding-table destination 172.28.102.0/24
Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
172.28.102.0/24 user 0 indr 262143 11
ulst 262142 2
172.18.1.1 ucst 546 6 ge-0/0/3.0
172.18.11.1 ucst 548 3 ge-0/0/4.1121
Step 5.11
Exit configuration mode and log out of your assigned device using the exit
command.
[edit protocols bgp]
lab@srxA-1# exit configuration-mode
Exiting configuration mode
lab@srxA-1> exit
srxA-1 (ttyu0)
login:
Overview
This lab demonstrates configuration and manipulation of BGP path attributes. In this lab,
you use the command-line interface (CLI) to configure and manipulate BGP attributes.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
• Configure export and import policy.
• Configure and apply a next-hop self policy.
• Manipulate BGP path attributes to influence traffic flow.
In this lab part, you load the initial configuration needed to begin the lab.
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the management network diagram to
determine the management address of your student device.
Step 1.2
Access the CLI on your student device using either the console, Telnet, or SSH as
directed by your instructor. Refer to the management network diagram for the IP
address associated with your student device. The following example uses a simple
Telnet access to srxA-1 with the Secure CRT program as a basis:
Step 1.3
Log in to the student device with the username lab using a password of lab123.
Note that both the name and password are case-sensitive. Enter configuration mode
and load the reset configuration file using the
load override /var/home/lab/ajer/lab5-start.config command.
After the configuration has been loaded, commit the changes before proceeding.
srxA-1 (ttyu0)
login: lab
Password:
[edit]
lab@srxA-1# load override ajer/lab5-start.config
load complete
[edit]
lab@srxA-1# commit
commit complete
In this lab part, you first verify the autonomous system (AS) number internal BGP
(IBGP) group for your device. Next, you configure an EBGP peering session using the
direct addresses for your external peer.
Step 2.1
Using the show routing-options autonomous-system command, verify
that the AS number designated for your network has been configured. Refer to the
network diagram for this lab as necessary.
[edit]
lab@srxA-1# show routing-options autonomous-system
64700;
Step 2.2
Navigate to the [edit protocols bgp] hierarchy. Use the show command to
verify that the my-int-group group has been preconfigured as an IBGP session
with three peers.
[edit]
lab@srxA-1# edit protocols bgp
Note
Before proceeding, ensure that the remote
student team in your pod finishes the
previous step.
Step 2.4
Issue the run show bgp summary command to view the current BGP summary
information for your device.
[edit protocols bgp]
lab@srxA-1# run show bgp summary
Groups: 2 Peers: 4 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 22 13 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.18.1.1 65510 46 40 0 0 16:29 9/
9/9/0 0/0/0/0
192.168.1.2 64700 42 52 0 0 19:12 2/
2/2/0 0/0/0/0
192.168.2.1 64700 53 54 0 0 19:12 0/
9/9/0 0/0/0/0
192.168.2.2 64700 42 52 0 0 19:04 2/
2/2/0 0/0/0/0
In this lab part you monitor received routes and detect next-hop resolution issues.
You will create a policy to correct the next-hop resolution problems and, after the
policy is applied, you will monitor the change and make sure it is working properly.
Step 3.1
Issue a run show route protocol bgp hidden command to view the
current hidden routes on your device.
[edit protocols bgp]
lab@srxA-1# run show route protocol bgp hidden
Note
The output will differ depending on the
device you are using.
Step 3.2
Navigate to the [edit policy-options] configuration hierarchy. Create a
policy named nhs with one term that sets all routes to next-hop self. You can
name this term anything you like.
[edit protocols bgp]
lab@srxA-1# top edit policy-options
[edit policy-options]
lab@srxA-1# set policy-statement nhs term 1 then next-hop self
[edit policy-options]
lab@srxA-1#
Step 3.3
Navigate back to the [edit protocols bgp] configuration hierarchy. Apply the
nhs policy to the my-int-group BGP group as an export policy. When you are
satisfied with the newly defined configuration, issue the commit command to
activate changes.
[edit policy-options]
lab@srxA-1# top edit protocols bgp
Note
Before proceeding, ensure that the remote
student team in your pod finishes the
previous step.
Step 3.4
For verification, issue a run show route protocol bgp hidden command
to view the current status of hidden routes on your device.
[edit protocols bgp]
lab@srxA-1# run show route protocol bgp hidden
In this lab part, you use policy to avoid becoming a transit AS. To accomplish this
task, you configure a policy that matches routes that are generated in your AS,
accept the routes, and reject everything else. You then apply this policy to your EBGP
peers.
Step 4.1
Issue the run show route protocol bgp aspath-regex "()" command
to determine which routes are generated locally in the AS.
[edit protocols bgp]
lab@srxA-1# run show route protocol bgp aspath-regex "()"
Step 4.2
Issue a run show route advertising-protocol bgp peer-address
| match "^\*” command to count how many routes are advertised to the EBGP
peer.
[edit protocols bgp]
lab@srxA-1# run show route advertising-protocol bgp peer-address | match
"^\*”
* 4.0.0.0/21 Self 65520 I
* 67.3.192.0/21 Self I
* 67.3.200.0/21 Self I
* 69.3.176.0/21 Self I
* 69.3.184.0/21 Self I
* 87.47.48.0/22 Self 65520 65520 I
* 158.76.56.0/22 Self 65520 65520
65520 65520 1123 I
Step 4.3
Navigate to the [edit policy-options] hierarchy and create an AS path
regular expression named null-as that matches the null aspath-regex value.
[edit protocols bgp]
lab@srxA-1# top edit policy-options
[edit policy-options]
lab@srxA-1# set as-path null-as "()"
[edit policy-options]
lab@srxA-1#
[edit policy-options]
lab@srxA-1# set policy-statement export-ebgp term local-routes then accept
[edit policy-options]
lab@srxA-1# set policy-statement export-ebgp term last then reject
[edit policy-options]
lab@srxA-1# show as-path null-as
"()";
[edit policy-options]
lab@srxA-1# show policy-statement export-ebgp
term local-routes {
from {
protocol bgp;
as-path null-as;
}
then accept;
}
term last {
then reject;
}
Step 4.5
Navigate to the [edit protocols bgp] hierarchy. Apply the export-ebgp
policy as an export policy to the my-ext-group BGP group. When you are satisfied
with the newly defined policy configuration, issue the commit command to activate
the changes.
[edit policy-options]
lab@srxA-1# top edit protocols bgp
In this lab part, you configure a policy to manipulate BGP attributes to influence
inbound traffic. Policy is used to change the AS path value and origin values on
outgoing advertisements.
Refer to the network diagram provided. To optimize routing back to the network, you
will manipulate outgoing advertisements to enhance the routes closer to the exit
point.
Note
You will be working with an exclusive set of
instructions depending on your assigned
device.
Step 5.1
This step is to be performed by Team 1 only.
Navigate to the [edit policy-options policy-statement
export-ebgp] hierarchy. Configure a term named origin that matches routes
67.3.200.0/21 and 69.3.184.0/21. Modify the origin of these routes using the
incomplete option and accept them. Insert the origin term before the
local-routes term. When you are satisfied with the newly defined policy
configuration, issue the commit command to activate the changes.
[edit protocols bgp]
lab@srxA-1# top edit policy-options policy-statement export-ebgp
[edit policy-options]
lab@srxA-2# set term as-prepend from route-filter 67.3.192.0/21 exact
Note
Before proceeding, ensure that the remote
student team in your pod finishes the
previous step.
Step 5.3
Using the run telnet 8.0.0.1 source source-address command,
telnet to the ISP Y router to confirm the routes that were manipulated in the previous
step. Team 1 will use a source address of 67.3.192.1. Team 2 will use a source
address of 67.3.200.1. The user is ispy and the password is lab123.
[edit policy-options policy-statement export-ebgp]
lab@srxA-1# run telnet 8.0.0.1 source source-address
Trying 8.0.0.1...
Connected to 8.0.0.1.
Escape character is '^]'.
vr-device (ttyp1)
login: ispy
Password:
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
ispy@vr-device>
Step 5.4
From the ISP Y router, issue the show route table ispY-X 67.3.192.0/21
and show route table ispY-X 67.3.200.0/21 commands, where X is the
pod letter you are using (A,B,C, or D).
Note
Feel free to inspect the other BGP routes in
table ispY on the vr-device.
Note
The output might differ slightly depending
on which device is used.
Step 5.5
Log out of the vr-device.
In this lab part, you manipulate the local preference attribute based on incoming
community.
Referring to your lab diagram, ISP X and ISP Z are advertising their local customer
routes with a community containing their AS number and the number 1000,
regardless of AS path length. You will create a policy that optimizes outbound traffic
to use your peers local routes.
Step 6.1
Navigate to the [edit policy-options] configuration hierarchy. Create a BGP
community named peer-local that matches either 65510:1000 or 65520:1000.
[edit policy-options policy-statement export-ebgp]
lab@srxA-1# up
[edit policy-options]
lab@srxA-1# set community peer-local members "65510|65520:1000"
[edit policy-options]
lab@srxA-1#
Step 6.2
Create a policy named import-ebgp with a term named
peer-local-community that matches the community named peer-local
and sets the local preference to 1000.
[edit policy-options]
lab@srxA-1# set policy-statement import-ebgp term peer-local-community from
community peer-local
[edit policy-options]
lab@srxA-1# set policy-statement import-ebgp term peer-local-community then
local-preference 1000
Step 6.3
Navigate to the [edit protocols bgp] configuration hierarchy. Apply the policy
named import-ebgp to the my-ext-group BGP group as an import policy.
Issue the commit command to activate the changes.
[edit policy-options]
lab@srxA-1# top edit protocols bgp
In this lab part, you create two aggregate routes for the local AS. The more specific
routes will be known by your immediate peers, but we want to supress
advertisements beyond that. You will use a well-known community for this task.
Step 7.1
Navigate to the [edit routing-options] configuration hierarchy. Create two
aggregate routes that overlap the networks in our local AS. When you are satisfied
with the newly defined configuration, issue the commit command to activate the
changes.
[edit protocols bgp]]
lab@srxA-1# top edit routing-options
[edit routing-options]
lab@srxA-1# set aggregate route 69.3.176.0/20
[edit routing-options]
lab@srxA-1# set aggregate route 67.3.192.0/20
[edit routing-options]
lab@srxA-1# show aggregate
route 69.3.176.0/20;
route 67.3.192.0/20;
[edit routing-options]
lab@srxA-1# commit
commit complete
[edit routing-options]
lab@srxA-1#
Step 7.2
For verification, issue a run show route protocol aggregate command
and ensure the aggregate routes were created.
Step 7.3
Navigate to the [edit policy-options] configuration hierarchy. Create a
community named no-export containing the well-known no-export community.
[edit routing-options]
lab@srxA-1# top edit policy-options
[edit policy-options]
lab@srxA-1# set community no-export members no-export
[edit policy-options]
lab@srxA-1#
Step 7.4
Navigate to the [edit policy-options policy-statement
export-ebgp] configuration hierarchy. Create two new terms. Name one of the
terms adv-agg; it should match the aggregate routes and accept them. Name the
second term ne to set the community to the no-export community you created
previously. Using the then next term option, set an additional action in the ne
term.
[edit policy-options]
lab@srxA-1# edit policy-statement export-ebgp
Note
Make sure to perform the previous step in
the order given. If it is not performed in the
order given, your policy will not work as
expected.
lab@srxA-1>
Step 7.6
This step is to be performed by Team 2 only.
Insert the adv-agg term before the term named as-prepend. Insert the ne term
after the adv-agg term. When you are satisfied with the newly defined
configuration, issue the commit and-quit command to activate the changes
and exit to operational mode.
Note
Make sure to perform the previous step in
the order given. If it is not performed in the
order given, your policy will not work as
expected.
lab@srxA-2>
Step 7.7
For verification, issue the show route advertising-protocol bgp
peer-address command to determine which routes you are advertising to your
EBGP peer. Refer the lab diagram as needed.
lab@srxA-1> show route advertising-protocol bgp peer-address
Note
The previous output might differ depending
on which device you are using, but you will
be advertising six routes.
Step 7.8
Using the telnet 8.0.0.1 source source-address command, telnet to
the ISP Y router to confirm the routes that were manipulated in the previous step.
Team 1 will use a source address of 67.3.192.1. Team 2 will use a source address of
67.3.200.1. The user is ispy and the password is lab123.
lab@srxA-1> telnet 8.0.0.1 source source-address
Trying 8.0.0.1...
Connected to 8.0.0.1.
Escape character is '^]'.
vr-device (ttyp1)
login: ispy
Password:
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
ispy@vr-device>
Step 7.9
From the vr-device, verify the routes originated from your local AS (64700) by issuing
a show route table ispY-X aspath-regex ".*64700$" command,
where X is the pod letter you are using (A,B,C, or D).
ispy@vr-device> show route table ispY-X aspath-regex ".*64700$"
Step 7.10
Log out of the vr-device using the exit command.
ispy@vr-device> exit
Overview
This lab demonstrates implementation of enterprise routing policies. In this lab you will be
using BGP as a policy tool to achieve the goals of the lab. In this lab, you use the
command-line interface (CLI) to configure and manipulate configuration.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
• The use of private autonomous systems (ASs) to segregate the network.
• Configuration of the common routing policies for external connectivity.
In this lab part, you load the initial configuration needed to begin the lab.
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the management network diagram to
determine the management address of your student device.
Step 1.2
Access the CLI on your student device using either the console, Telnet, or SSH as
directed by your instructor. Refer to the management network diagram for the IP
address associated with your student device. The following example uses a simple
Telnet access to srxA-1 with the Secure CRT program as a basis:
Step 1.3
Log in to the student device with the username lab using a password of lab123.
Note that both the name and password are case-sensitive. Enter configuration mode
and load the reset configuration file using the
load override /var/home/lab/ajer/lab6-start.config command.
After the configuration has been loaded, commit the changes before proceeding.
srxA-1 (ttyu0)
login: lab
Password:
[edit]
lab@srxA-1# load override ajer/lab6-start.config
load complete
[edit]
lab@srxA-1# commit
commit complete
In this lab part, you configure BGP. You first define the AS number for your device.
Next, you establish IBGP peering sessions using loopback addresses for your
internal peers. Finally, you will create two different EBGP peering groups, one for
your internal enterprise sites and one for your external ISP provider. You will use
direct addresses for your external peers.
Step 2.1
Define the AS number designated for your network. Refer to the network diagram for
this lab as necessary.
[edit]
lab@srxA-1# set routing-options autonomous-system 10458
Step 2.2
Navigate to the [edit protocols bgp] hierarchy. Configure a BGP group
named my-int-group that includes the other SRX Series device within your AS
as an internal BGP (IBGP) peer. Use the loopback address assigned to your device
as the local address and the remote loopback address of the remote device as the
neighbor address. When you are satisfied with the newly defined BGP configuration,
issue the commit command to activate the changes.
[edit]
lab@srxA-1# edit protocols bgp
Note
Before proceeding, ensure that the remote
student team in your pod finishes the
previous step.
Step 2.5
Issue the run show bgp summary command to view the current BGP peering
status for your device.
[edit protocols bgp]
lab@srxA-1# run show bgp summary
[...]
172.18.1.1 3356 22 11 0 0 45
1506/1506/1506/0 0/0/0/0
172.20.113.10 65001 18 85 0 0 7:32 1/
1/1/0 0/0/0/0
192.168.2.1 10458 110 105 0 0 19:04
113/1521/1521/0 0/0/0/0
In this lab part, you implement a strict primary/secondary routing policy for your
external connections. ISP X and ISP Z are sending a full view of the Internet table.
Note
This is a hypothetical full view of the
Internet routing table. Lab resources are
limited, thus we can only generate a limited
number of routes.
In addition, ISP X is sending a default route and customer routes with community tag
3356:1. ISP Z is also sending a default route and customer routes with community
tag 813:1.
Step 3.1
Navigate to the [edit policy-options] hierarchy and create two
communities, one named ispX with 3356:1 as the member and the other named
ispZ with 813:1 as the member.
[edit protocols bgp]
lab@srxA-1# top edit policy-options
[edit policy-options]
lab@srxA-1# set community ispX members 3356:1
[edit policy-options]
lab@srxA-1# set community ispZ members 813:1
[edit policy-options]
lab@srxA-1#
Step 3.2
Create a policy named primary-secondary. In this policy, create a term named
primary that matches a default route (0.0.0.0/0) and community ispX. Set the
action for this term to raise the local preference to 1000 and accept.
[edit policy-options]
lab@srxA-1# set policy-statement primary-secondary term primary from
route-filter 0/0 exact
[edit policy-options]
lab@srxA-1# set policy-statement primary-secondary term primary from community
ispX
[edit policy-options]
lab@srxA-1# set policy-statement primary-secondary term primary then
local-preference 1000
[edit policy-options]
lab@srxA-1# set policy-statement primary-secondary term primary then accept
Step 3.3
Within the primary-secondary policy, create a second term named
secondary that matches a default route (0.0.0.0/0) and community ispZ. Set
the action for this term to accept.
[edit policy-options]
lab@srxA-1# set policy-statement primary-secondary term secondary from
community ispZ
[edit policy-options]
lab@srxA-1# set policy-statement primary-secondary term secondary then accept
Step 3.4
Within the primary-secondary policy, create a third term named reject with
an action of reject.
[edit policy-options]
lab@srxA-1# set policy-statement primary-secondary term reject then reject
[edit policy-options]
lab@srxA-1# show
policy-statement primary-secondary {
term primary {
from {
community ispX;
route-filter 0.0.0.0/0 exact;
}
then {
local-preference 1000;
accept;
}
}
term secondary {
from {
community ispZ;
route-filter 0.0.0.0/0 exact;
}
then accept;
}
term reject {
then reject;
}
}
community ispX members 3356:1;
community ispZ members 813:1;
Step 3.5
Navigate back to the [edit protocols bgp] hierarchy. Set the policy
primary-secondary as an import policy for the my-ext-group group. When
you are satisfied with the newly defined BGP configuration, issue the commit
command to activate the changes.
[edit policy-options]
lab@srxA-1# top edit protocols bgp
inet.0: 1520 destinations, 1520 routes (15 active, 0 holddown, 1505 hidden)
+ = Active Route, - = Last Active, * = Both
Note
The output will differ depending on the
device to which you are assigned.
Note
Before proceeding, ensure that the remote
student team in your pod finishes the
previous step.
In this lab part, you implement a primary/secondary routing policy for inbound
traffic using routing policy. You also implement a policy to keep the enterprise from
becoming a transit AS.
Step 4.1
Navigate to the [edit policy-options] hierarchy and create an AS path
regular expression named private that matches the entire private AS range
(64512–65535).
[edit protocols bgp]
lab@srxA-1# top edit policy-options
[edit policy-options]
lab@srxA-1# set as-path private "[64512-65535]"
[edit policy-options]
lab@srxA-1#
Step 4.2
Create a policy named ext-ebgp. In this policy, create a term named
my-ent-nets that matches the as-path of private and has an action to accept.
Create a second term named reject-all with an action to reject. When you are
satisfied with the newly defined policy configuration, issue the commit command to
activate the changes.
[edit policy-options]
lab@srxA-1# set policy-statement ext-ebgp term my-ent-nets from as-path private
[edit policy-options]
lab@srxA-1# set policy-statement ext-ebgp term my-ent-nets then accept
[edit policy-options]
lab@srxA-1# set policy-statement ext-ebgp term reject-all then reject
[edit policy-options]
lab@srxA-1# show policy-statement ext-ebgp
term my-ent-nets {
from as-path private;
then accept;
}
term reject-all {
then reject;
}
[edit policy-options]
lab@srxA-1# show as-path private
"[64512-65535]";
[edit policy-options]
lab@srxA-1# commit
commit complete
Step 4.3
Navigate back to the [edit protocols bgp] hierarchy. Set the policy
ext-ebgp as an export policy for the my-ext-group group. When you are
satisfied with the newly defined BGP configuration, issue the commit command to
activate the changes.
[edit policy-options]
lab@srxA-1# top edit protocols bgp
inet.0: 1520 destinations, 1520 routes (15 active, 0 holddown, 1505 hidden)
Prefix Nexthop MED Lclpref AS path
* 67.3.192.1/32 Self 65001 I
* 67.3.200.1/32 Self 65002 I
Step 4.5
Remove the private AS when advertising the enterprise routes to the ISP. Use the
remove-private command under the my-ext-group. When you are satisfied
with the newly defined BGP configuration, issue the commit command to activate
the changes.
[edit protocols bgp]
lab@srxA-1# set group my-ext-group remove-private
inet.0: 1520 destinations, 1520 routes (15 active, 0 holddown, 1505 hidden)
Prefix Nexthop MED Lclpref AS path
* 67.3.192.1/32 Self I
* 67.3.200.1/32 Self I
Note
You will be working with an exclusive set of
instructions depending on your assigned
device.
[edit policy-options]
lab@srxA-2# set policy-statement ext-ebgp term my-ent-nets then as-path-prepend
"10458 10458 10458"
[edit policy-options]
lab@srxA-2# show policy-statement ext-ebgp
term my-ent-nets {
from as-path private;
then {
as-path-prepend "10458 10458 10458";
accept;
}
}
term reject-all {
then reject;
}
[edit policy-options]
lab@srxA-2# commit
commit complete
[edit policy-options]
lab@srxA-2#
Step 4.8
This step is to be performed by Team 2 only.
Issue the run show route advertising-protocol bgp 172.18.2.1
command to verify the policy is prepending the AS three times.
[edit policy-options]
lab@srxA-2# run show route advertising-protocol bgp 172.18.2.1
Note
Changing attributes before advertising to
the provider does not always guarantee the
desired result, because you have no control
over the routing policy of other networks.
In this lab part, you implement a loose primary/secondary routing policy. This action
allows you to prefer the secondary ISP for selected prefixes.
Step 5.1
This step is to be performed by Team 2 only.
Within the primary-secondary policy, create a new term named
ISPZ-specifics that matches the ispZ community created previously and
accepts the routes. Insert this term before the term reject in the
primary-secondary policy. When you are satisfied with the newly defined policy
configuration, issue the commit command to activate the changes.
[edit policy-options]
lab@srxA-2# set policy-statement primary-secondary term ISPZ-specifics from
community ispZ
[edit policy-options]
lab@srxA-2# set policy-statement primary-secondary term ISPZ-specifics then
accept
[edit policy-options]
lab@srxA-2# insert policy-statement primary-secondary term ISPZ-specifics
before term reject
www.juniper.net Implementing Enterprise Routing Policies (Detailed) • Lab 6–13
Advanced Junos Enterprise Routing
[edit policy-options]
lab@srxA-2# show policy-statement primary-secondary
term strict {
from {
community ispX;
route-filter 0.0.0.0/0 exact;
}
then accept;
}
term secondary {
from {
community ispZ;
route-filter 0.0.0.0/0 exact;
}
then accept;
}
term ISPZ-specifics {
from community ispZ;
then accept;
}
term reject {
then reject;
}
[edit policy-options]
lab@srxA-2# commit
commit complete
Note
Before proceeding, ensure that Team 2 in
your pod finishes the previous step.
Step 5.2
This step is to be performed by Team 1 only.
Issue the command run show route protocol bgp aspath-regex
"813$" | no-more. This action allows you to view routes originated from ISP Z.
Note
The command will have approximately 100
routes to display. It might take a couple of
seconds to complete.
[edit policy-options]
lab@srxA-1# run show route protocol bgp aspath-regex "813$" | no-more
inet.0: 1632 destinations, 1632 routes (127 active, 0 holddown, 1505 hidden)
+ = Active Route, - = Last Active, * = Both
In this lab part, you implement per-prefix load sharing for outbound traffic. This
allows the network to use different providers for a given set of prefixes.
Step 6.1
Navigate to the [edit protocols bgp] hierarchy. Remove the import policy
named primary-secondary from the BGP group my-ext-group. When you
are satisfied with the newly defined BGP configuration, issue the commit command
to activate the changes.
[edit policy-options]
lab@srxA-1# top edit protocols bgp
Note
Before proceeding, ensure that the remote
student team in your pod finishes the
previous step.
Step 6.2
To view the amount of routes active in the table from the peers, issue a run show
bgp summary command.
lab@srxA-1# run show bgp summary
Groups: 3 Peers: 3 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 3028 1620 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
172.18.1.1 3356 155 143 0 0 1:03:19
1506/1506/1506/0 0/0/0/0
172.20.113.10 65001 494 770 0 0 3:52:19 1/
1/1/0 0/0/0/0
192.168.2.1 10458 729 720 0 0 4:03:51
113/1521/1521/0 0/0/0/0
Step 6.3
This step is to be performed by Team 1 only.
Navigate to the [edit policy-options] hierarchy. Create a policy named
load-shared. In this policy, create a term named half that matches all prefixes
within 0.0.0.0/1 or longer. Set the action for the term half to raise the local
preference to 1000 and accept.
[edit protocols bgp]
lab@srxA-1# top edit policy-options
[edit policy-options]
lab@srxA-1# set policy-statement load-shared term half then local-preference
1000
[edit policy-options]
lab@srxA-1# set policy-statement load-shared term half then accept
[edit policy-options]
lab@srxA-1#
Step 6.4
This step is to be performed by Team 2 only.
Navigate to the [edit policy-options] hierarchy. Create a policy named
load-shared. In this policy, create a term named half that matches all prefixes
within 128.0.0.0/1 or longer. Set the action for the term half to raise the local
preference to 1000 and accept.
[edit protocols bgp]
lab@srxA-2# top edit policy-options
[edit policy-options]
lab@srxA-2# set policy-statement load-shared term half from route-filter
128.0.0.0/1 orlonger
[edit policy-options]
lab@srxA-2# set policy-statement load-shared term half then local-preference
1000
[edit policy-options]
lab@srxA-2# set policy-statement load-shared term half then accept
[edit policy-options]
lab@srxA-2#
Step 6.5
Navigate back to the [edit protocols bgp] hierarchy. Apply the
load-shared policy as an import policy to the BGP group my-ext-group.
[edit policy-options]
lab@srxA-1# top edit protocols bgp
Note
Before proceeding, ensure that the remote
student team in your pod finishes the
previous step.
Step 6.6
For verification, issue a run show bgp summary command to view how many
routes are active from each peer.
Note
The following captures show the outputs
from both student devices.
...............................................................................
Note
The policy configured in the previous steps
should give a good start for a load-shared
design. However, maintaining parity for
outbound traffic for various providers
requires policy adjustment based on
constant monitoring of traffic patterns.
In this lab part, you implement per-prefix load sharing for inbound traffic. This allows
the external networks to use longest-match routing to reach your networks.
Step 7.1
This step is to be performed by Team 1 only.
Navigate to the [edit routing-options] hierarchy. Create aggregate routes
of 67.3.192.0/21 and 67.3.192.0/20. When you are satisfied with the newly
defined configuration, issue the commit command to activate the changes.
[edit routing-options]
lab@srxA-1# set aggregate route 67.3.192.0/21
[edit routing-options]
lab@srxA-1# show aggregate
route 67.3.192.0/21;
route 67.3.192.0/20;
[edit routing-options]
lab@srxA-1# commit
commit complete
[edit routing-options]
lab@srxA-1#
Step 7.2
This step is to be performed by Team 2 only.
Navigate to the [edit routing-options] hierarchy. Create aggregate routes
of 67.3.200.0/21 and 67.3.192.0/20. When you are satisfied with the newly
defined configuration, issue the commit command to activate the changes.
[edit protocols bgp]
lab@srxA-2# top edit routing-options
[edit routing-options]
lab@srxA-2# set aggregate route 67.3.200.0/21
[edit routing-options]
lab@srxA-2# set aggregate route 67.3.192.0/20
[edit routing-options]
lab@srxA-2# show aggregate
route 67.3.200.0/21;
route 67.3.192.0/20;
[edit routing-options]
lab@srxA-2# commit
commit complete
[edit routing-options]
lab@srxA-2#
Step 7.3
For verification, issue the command run show route protocol aggregate
to confirm that the aggregate routes have become active.
[edit routing-options]
lab@srxA-1# run show route protocol aggregate
[edit policy-options]
lab@srxA-1# set policy-statement export-load-shared term aggregates from
protocol aggregate
[edit policy-options]
lab@srxA-1# set policy-statement export-load-shared term aggregates then accept
[edit policy-options]
lab@srxA-1# set policy-statement export-load-shared term reject then reject
[edit policy-options]
lab@srxA-1#
Step 7.5
Navigate to the [edit protocols bgp] hierarchy. Remove the export policy
from the my-ext-group BGP group. Set the export-load-shared policy as
an export policy for the my-ext-group BGP group. When you are satisfied with the
newly defined configuration, issue the commit command to activate the changes.
[edit policy-options]
lab@srxA-1# top edit protocols bgp
Step 7.7
Exit configuration mode and log out of your assigned device using the exit
command.
[edit protocols bgp]
lab@srxA-1# exit configuration-mode
Exiting configuration mode
lab@srxA-1> exit
Overview
This lab demonstrates configuration and monitoring of Internet Group Management
Protocol (IGMP) and Protocol Independent Multicast Sparse Mode (PIM-SM) on devices
running the Junos operating system using the any-source multicast (ASM) model. In this
lab, you use the command-line interface (CLI) to configure and monitor IGMP and PIM-SM.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
• Configure and monitor IGMP.
• Configure and monitor static rendezvous point (RP) configuration.
• Configure and monitor the bootstrap router mechanism (BSR).
• Configure and monitor PIM-SM using the ASM model.
• Verify the flow of multicast traffic through the network.
In this lab part, you configure your student device’s interfaces according to the lab
diagram labeled “Lab 7: Implementing PIM-SM—Parts 1–3.” Next, you will verify the
topology using the CLI.
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the management network diagram to
determine the management address of your student device.
Step 1.2
Access the CLI on your student device using either the console, Telnet, or SSH as
directed by your instructor. Refer to the management network diagram for the IP
address associated with your student device. The following example uses a simple
Telnet access to srxA-1 with the Secure CRT program as a basis:
Step 1.3
Log in to the student device with the username lab using a password of lab123.
Note that both the name and password are case-sensitive. Enter configuration mode
and load the reset configuration file using the
load override /var/home/lab/ajer/lab7-start.config command.
After the configuration has been loaded, commit the changes and return to
operational mode before proceeding.
srxA-1 (ttyu0)
login: lab
[edit]
lab@srxA-1# load override ajer/lab7-start.config
load complete
[edit]
lab@srxA-1# commit and-quit
commit complete
Exiting configuration mode
lab@srxA-1>
Step 1.4
Use the show configuration interfaces command to determine which
interfaces have been preconfigured for you.
lab@srxA-1> show configuration interfaces
ge-0/0/0 {
description "MGMT Interface - DO NOT DELETE";
unit 0 {
family inet {
address 10.210.14.131/26;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 172.20.77.1/30;
}
}
}
ge-0/0/4 {
vlan-tagging;
unit 0 {
vlan-id 121;
family inet {
address 172.18.121.2/30;
}
}
}
ge-0/0/8 {
unit 0 {
family inet {
address 10.1.1.1/30;
}
}
}
lo0 {
unit 0 {
Step 1.5
Use the show configuration protocols command to determine which
protocols have been preconfigured for you.
lab@srxA-1> show configuration protocols
ospf {
area 0.0.0.0 {
interface all;
interface ge-0/0/8.0 {
passive;
}
interface ge-0/0/0.0 {
disable;
}
}
}
Step 1.6
Verify that each interface has been configured properly by attempting to ping each of
the locally attached routers and hosts.
lab@srxA-1> ping address rapid
PING 172.18.121.1 (172.18.121.1): 56 data bytes
!!!!!
--- 172.18.121.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.393/2.354/4.220/1.019 ms
Step 1.7
Use the show ospf interface and show ospf neighbor commands to
confirm that OSPF has been configured properly and that adjacencies have been
established between neighboring routers.
lab@srxA-1> show ospf interface
Interface State Area DR ID BDR ID Nbrs
ge-0/0/1.0 BDR 0.0.0.0 192.168.122.1 192.168.121.1 1
ge-0/0/4.0 DR 0.0.0.0 192.168.121.1 192.168.120.1 1
ge-0/0/8.0 DRother 0.0.0.0 0.0.0.0 0.0.0.0 0
lo0.0 DR 0.0.0.0 192.168.121.1 0.0.0.0 0
sp-0/0/0.0 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 0
Step 1.8
To forward traffic from any given source in a PIM-SM network, each router must have
a route in its routing table associated with the source. Use the show route
172.18.120/24 command to determine whether a route to the source exists in
your device’s routing table.
lab@srxA-1> show route 172.18.120/24
In this lab part, you configure your student device’s ge-0/0/8 interface to run the
IGMP protocol. Next, you will log in to the locally attached receiver and configure it to
send IGMP reports. Finally, you will verify, with show commands, that your student
device is receiving the IGMP reports generated by the receiver.
Step 2.1
Enter configuration mode and navigate to the [edit protocols igmp]
hierarchy. Configure your device’s ge-0/0/8 interface to use IGMP version 2
(IGMPv2).
[edit]
lab@srxA-1# edit protocols igmp
Configured Parameters:
IGMP Query Interval: 125.0
IGMP Query Response Interval: 10.0
IGMP Last Member Query Interval: 1.0
IGMP Robustness Count: 2
Derived Parameters:
IGMP Membership Timeout: 260.0
IGMP Other Querier Present Timeout: 255.0
Step 2.4
Issue the run show igmp group command to determine the groups that have
been learned from IGMP.
[edit protocols igmp]
lab@srxA-1# run show igmp group
Interface: local, Groups: 5
Step 2.5
From your assigned device, log in to the attached receiver using SSH, a username of
lab, and a password of lab123.
[edit protocols igmp]
lab@srxA-1# run ssh lab@address
lab@10.1.1.2's password:
Last login: Sun Mar 4 10:13:32 2012 from 10.1.1.1
[lab@CoS1 ~]$
Step 2.6
Analyze the following table to determine the group that you will configure the
receiver to join.
Receivers Groups
Pod A 224.7.7.121
Pod B 224.7.7.123
Pod C 224.7.7.125
Pod D 224.7.7.127
Step 2.7
Using the rptqual application, configure your receiver to generate IGMP reports for
the group listed in the table. Use the following example from srxA-1 as a guide:
[lab@CoS1 ~]$ ./rtpqual group-address 1111 rtp&
[1] 16231
[lab@CoS1 ~]$
Step 2.8
Log out of the receiver and return to the operational mode prompt of your student
device.
[lab@CoS1 ~]$ exit
logout
In this lab part, you configure your student device to run the PIM-SM protocol using
the ASM model. Next, you will statically configure the RP for the network. Finally, you
will verify, with show commands, that your the network has built both a
rendezvous-point tree (RPT) and a shortest-path tree (SPT) from source to receiver.
Step 3.1
In the previous lab part, you configured the receiver to inform the network, using
IGMP, that it wishes to receive multicast traffic. However, IGMP only operates
between the receiver and the locally connected IGMP querier (router). To allow for
the rest of the network to know of the these locally attached receivers, a multicast
routing protocol must be enabled throughout the network of routers.
Navigate to the [edit protocols pim] level of the hierarchy. Configure each of
your router’s interfaces to run PIM-SM. Do not forget the loopback interface.
[edit protocols igmp]
lab@srxA-1# up 1 edit pim
Receivers RP Group
Pod A srxA-1 (192.168.121.1) 224.7.7.121
Pod B srxB-1 (192.168.121.1) 224.7.7.123
Pod C srxC-1 (192.168.121.1) 224.7.7.125
Pod D srxD-1 (192.168.121.1) 224.7.7.127
Step 3.3
This step is to be performed by Team 1 only.
Configure your device to be the RP for all multicast groups (224/4) using the
loopback address for the RP address. Commit your configuration when complete.
[edit protocols pim]
lab@srxA-1# set rp local address 192.168.121.1 group-ranges 224/4
Step 3.6
Verify that the correct RP has been configured on your router by issuing the run
show pim rps command.
[edit protocols pim]
lab@srxA-1# run show pim rps
Instance: PIM.master
Address family INET
RP address Type Holdtime Timeout Groups Group prefixes
192.168.121.1 static 0 None 1 224.0.0.0/4
Step 3.7
Issue the run show pim join extensive command to determine the (S,G)
and (*,G) states of your router.
[edit protocols pim]
lab@srxA-1# run show pim join extensive
Instance: PIM.master Family: INET
R = Rendezvous Point Tree, S = Sparse, W = Wildcard
Group: 224.7.7.121
Source: *
RP: 192.168.121.1
Flags: sparse,rptree,wildcard
Upstream interface: Local
Upstream neighbor: Local
Upstream state: Local RP
Uptime: 00:02:06
Downstream neighbors:
Interface: ge-0/0/1.0
172.20.77.2 State: Join Flags: SRW Timeout: 160
Uptime: 00:01:50 Time since last Join: 00:00:50
Downstream neighbors:
Interface: ge-0/0/8.0
10.1.1.1 State: Join Flags: SRW Timeout: Infinity
Uptime: 00:02:06 Time since last Join: 00:02:06
Group: 224.7.7.121
Source: 172.18.120.2
Flags: sparse,spt
Upstream interface: ge-0/0/4.0
Group: 224.7.7.121
Source: 172.18.120.2/32
Upstream interface: ge-0/0/4.0
Downstream interface list:
ge-0/0/8.0
Session description: Unknown
Statistics: 53 kBps, 101 pps, 16169 packets
Next-hop ID: 262143
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 1
Uptime: 00:02:55
In this lab part, you use the “Lab 7: Implementing PIM-SM—Part 4” diagram. You will
configure your student device to run the PIM-SM protocol using the ASM model, but
this time you will use the BSR mechanism to dynamically learn the RP. Next, you will
verify with show commands that your the network has built both an RPT and an SPT
from source to receiver.
Step 4.1
Delete any RP configuration that currently exists. Commit your configuration and exit
to operational mode.
Receivers Groups
Pod A 224.7.7.122
Pod B 224.7.7.124
Pod C 224.7.7.126
Pod D 224.7.7.128
Step 4.6
Using the rtpqual application, configure your receiver to generate IGMP reports for
the group listed in the table. Use the following example from srxA-1 as a guide:
[lab@CoS1 ~]$ ./rtpqual group-address 1111 rtp&
[1] 3572
Step 4.7
Log out of the receiver and return to the operational mode prompt of your student
device.
[lab@CoS1 ~]$ exit
logout
lab@srxA-1>
Step 4.8
Using the show igmp group command, verify that your device is receiving IGMP
reports from the locally attached receiver.
lab@srxA-1> show igmp group
Interface: ge-0/0/8.0, Groups: 1
Group: 224.7.7.122
Source: 0.0.0.0
Last reported by: 10.1.1.2
Timeout: 249 Type: Dynamic
...
Step 4.10
This step is to be performed by Team 2 only.
Enter configuration mode and navigate to the [edit protocols pim]
hierarchy. Using the srxX-2 loopback address for the RP address, configure srxX-2 to
be the RP and BSR for your multicast group only as indicated in the previous step’s
table. Also, configure the BSR priority to a value of 50. Commit your configuration
and exit to operational mode.
lab@srxA-2> configure
Entering configuration mode
[edit]
lab@srxA-2# edit protocols pim
Step 4.11
Verify that a BSR has been elected using the show pim bootstrap command.
Note
It might take a minute for the BSR to be
elected.
Step 4.12
Verify that the correct RP has been configured on your router by issuing the show
pim rps command.
Step 4.13
Use the show pim join extensive command to determine the (S,G) and
(*,G) states of your router.
lab@srxA-1> show pim join extensive
Instance: PIM.master Family: INET
R = Rendezvous Point Tree, S = Sparse, W = Wildcard
Group: 224.7.7.122
Source: *
RP: 192.168.122.1
Flags: sparse,rptree,wildcard
Upstream interface: ge-0/0/1.0
Upstream neighbor: 172.20.77.2
Upstream state: Join to RP
Uptime: 00:00:46
Downstream neighbors:
Interface: ge-0/0/8.0
10.1.1.1 State: Join Flags: SRW Timeout: Infinity
Uptime: 00:00:46 Time since last Join: 00:00:46
Group: 224.7.7.122
Source: 172.18.120.2
Flags: sparse,spt
Upstream interface: ge-0/0/4.0
Upstream neighbor: 172.18.121.1
Upstream state: Join to Source, Prune to RP
Keepalive timeout: 354
Uptime: 00:00:46
Downstream neighbors:
Interface: ge-0/0/8.0
10.1.1.1 State: Join Flags: S Timeout: Infinity
Uptime: 00:00:46 Time since last Join: 00:00:46
Step 4.14
Verify that multicast traffic is being forwarded by your router by issuing the show
multicast route extensive command.
lab@srxA-1> show multicast route extensive
Instance: master Family: INET
Group: 224.7.7.122
Source: 172.18.120.2/32
Upstream interface: ge-0/0/4.0
Downstream interface list:
Step 4.15
Log out of your assigned device using the exit command when complete.
lab@srxA-1> exit
srxA-1 (ttyu0)
login:
Overview
This lab demonstrates configuration and monitoring of Internet Group Management
Protocol (IGMP) and Protocol Independent Multicast Sparse Mode (PIM-SM) on devices
running the Junos operating system using the source-specific multicast (SSM) model. In
this lab, you use the command-line interface (CLI) to configure and monitor IGMP,
PIM-SM, and general SSM behavior.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
• Configure and monitor IGMP version 3 (IGMPv3).
• Disable the use of rendezvous points (RPs) in the PIM-SM network.
• Verify the flow of multicast traffic through the SSM modeled network using
various group addresses.
In this lab part, you load a reset configuration file and then stop any leftover rtpqual
processes on your attached receiver.
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the management network diagram to
determine the management address of your student device.
Step 1.2
Access the CLI on your student device using either the console, Telnet, or SSH as
directed by your instructor. Refer to the management network diagram for the IP
address associated with your student device. The following example uses a simple
Telnet access to srxA-1 with the Secure CRT program as a basis:
Step 1.3
Log in to the student device with the username lab using a password of lab123.
Note that both the name and password are case-sensitive. Enter configuration mode
and load the reset configuration file using the
load override /var/home/lab/ajer/lab8-start.config command.
After the configuration has been loaded, commit the changes and return to
operational mode before proceeding.
srxA-1 (ttyu0)
login: lab
Password:
[edit]
lab@srxA-1# load override ajer/lab8-start.config
load complete
[edit]
lab@srxA-1# commit and-quit
commit complete
Exiting configuration mode
lab@srxA-1>
Step 1.4
From your device, log in to the attached receiver using SSH with a username of lab
and a password of lab123.
lab@srxA-1> ssh lab@receiver-ip-address
lab@10.1.1.2's password:
Last login: Fri Mar 8 07:48:07 2011 from 10.1.1.1
[lab@CoS1 ~]$
Step 1.5
Issue the ps -ef | grep rtpqual command to determine the process ID (PID)
of any rtpqual instances that might still exist from the previous lab or classes. Use
the following example as a guide:
[lab@CoS1 ~]$ ps -ef | grep rtpqual
lab 3572 1 0 07:50 ? 00:00:16 ./rtpqual 224.7.7.126 1111 rtp
lab 3714 3683 0 08:47 pts/0 00:00:00 grep rtpqual
Step 1.6
Issue the kill -9 pid command to kill all of the PIDs of any currently running
rtpqual application instances. Use the following example as a guide:
[lab@CoS1 ~]$ kill -9 3572
Step 1.7
Log out of the receiver and return to the operational mode prompt of your student
device.
[lab@CoS1 ~]$ exit
logout
lab@srxA-1>
Note
Before proceeding, ensure that the remote
student team in your pod finishes the
previous step.
In this lab part, you configure your student device’s ge-0/0/8 interface to run the
IGMPv3 protocol. Next, you will log in to the locally attached receiver and configure it
to send IGMP reports for three different multicast groups. Finally, you will verify, with
show commands, that your student device is receiving the IGMP reports generated
by the receiver.
Step 2.1
Enter configuration mode and navigate to the [edit protocols igmp]
hierarchy. Configure your device’s ge-0/0/8 interface to use IGMPv3. Commit your
configuration and exit to operational mode when complete.
lab@srxA-1> configure
Entering configuration mode
[edit]
lab@srxA-1# edit protocols igmp
lab@srxA-1>
Step 2.2
Issue the show igmp interface command to determine which interfaces are
enabled for IGMP.
lab@srxA-1> show igmp interface
Interface: ge-0/0/8.0
Querier: 10.1.1.1
State: Up Timeout: None Version: 3 Groups: 0
Immediate leave: On
Promiscuous mode: Off
Passive: Off
Interface: ge-0/0/4.0
Querier: 172.18.121.1
Configured Parameters:
IGMP Query Interval: 125.0
IGMP Query Response Interval: 10.0
IGMP Last Member Query Interval: 1.0
IGMP Robustness Count: 2
Derived Parameters:
IGMP Membership Timeout: 260.0
IGMP Other Querier Present Timeout: 255.0
Step 2.3
Analyze the following table to determine the source and group combinations that
you will configure your receiver to join. You might find it beneficial to write your
values down because you will refer to them several times over the following steps.
Step 2.4
From your device, log in to the attached receiver using SSH with a username of lab
and a password of lab123.
lab@srxA-1> ssh lab@receiver-ip-address
lab@10.1.1.2's password:
Last login: Fri Mar 18 07:48:07 2011 from 10.1.1.1
[lab@CoS1 ~]$
Step 2.5
Using the rtpqual application, configure your receiver to generate IGMP reports
for the source and group combinations listed in the table. Use the following example
as a guide:
[lab@CoS1 ~]$ ./rtpqual 224.22z.1.1 1111 rtp&
[1] 3789
[lab@CoS1 ~]$ ./rtpqual 232.22z.2.2 1111 rtp&
[2] 3792
[lab@CoS1 ~]$ ./rtpqual 172.18.120.y@232.22z.3.3 1111 rtp&
[3] 3793
Step 2.6
Log out of the receiver and return to the operational mode prompt of your student
device. You might see output streaming from the rtpqual application. This is okay;
simply issue the exit command and press the Enter key.
[lab@CoS1 ~]$ exit
lab@srxA-1>
Step 2.8
Issue the show igmp statistics command and determine whether any
IGMPv3 report errors have been logged.
lab@srxA-1> show igmp statistics
IGMP packet statistics for all interfaces
In this lab part, you use CLI commands to determine how PIM-SM is reacting to the
IGMP reports that are being received by the receiver’s designated router (DR).
Step 3.1
Issue the show pim join extensive command to determine the (S,G) state of
your router, which is the receiver’s DR.
lab@srxA-1> show pim join extensive
Instance: PIM.master Family: INET
R = Rendezvous Point Tree, S = Sparse, W = Wildcard
In this lab part, you create an ssm-map and apply it to IGMP on the receiver-facing
interface. The purpose of the ssm-map will be to statically assign a source to the
two groups (224.22z.1.1 and 232.22z.2.2). This feature allows you to support
IGMPv1 and IGMPv2 in an SSM-modeled network (it also works for IGMPv3). Refer
to the table in the previous section as needed.
Step 4.1
Enter configuration mode and navigate to the [edit policy-options]
hierarchy. Create a policy called ssm-groups that uses route filters to match on
224.22z.1.1 and 232.22z.2.2.
lab@srxA-1> configure
Entering configuration mode
[edit]
lab@srxA-1# edit policy-options
[edit policy-options]
lab@srxA-1# set policy-statement ssm-groups term 10 from route-filter
232.22z.2.2 exact
[edit policy-options]
lab@srxA-1# set policy-statement ssm-groups term 10 then accept
[edit policy-options]
lab@srxA-1#
Step 4.2
Navigate to the [edit routing-options multicast] hierarchy and
configure an ssm-map named map1. Configure the ssm-map to associate a
specific source to any IGMP message that reports membership to 224.22z.1.1 and
232.22z.2.2 by applying the ssm-groups policy to the ssm-map. Use the same
source IP address that is being used for the 232.22z.3.3 group.
[edit policy-options]
lab@srxA-1# up 1 edit routing-options multicast
lab@srxA-2>
Step 4.4
In previous steps you noticed that your router was ignoring IGMP reports for
232.22z.2.2. In this step, you verify that your router is now accepting the IGMP
reports for 232.22z.2.2. However, because rtpqual sends reports every 60
seconds, you might have to wait up to 60 seconds for your router to receive the next
IGMP report for 232.22z.2.2.
Step 4.5
Issue the show pim join extensive command, verify that an SPT has been
built from source to receiver for all three multicast groups.
Group: 224.221.1.1
Source: 172.18.120.2
Flags: sparse,spt
Upstream interface: ge-0/0/4.0
Upstream neighbor: 172.18.121.1
Upstream state: Join to Source
Keepalive timeout: 343
Uptime: 00:04:17
Downstream neighbors:
Interface: ge-0/0/8.0
10.1.1.1 State: Join Flags: S Timeout: Infinity
Uptime: 00:04:17 Time since last Join: 00:04:17
Group: 232.221.2.2
Source: 172.18.120.2
Flags: sparse,spt
Upstream interface: ge-0/0/4.0
Upstream neighbor: 172.18.121.1
Upstream state: Join to Source
Keepalive timeout: 343
Uptime: 00:03:58
Downstream neighbors:
Interface: ge-0/0/8.0
10.1.1.1 State: Join Flags: S Timeout: Infinity
Uptime: 00:03:58 Time since last Join: 00:03:58
Group: 232.221.3.3
Source: 172.18.120.2
Flags: sparse,spt
Upstream interface: ge-0/0/4.0
Upstream neighbor: 172.18.121.1
Upstream state: Join to Source
Keepalive timeout: 343
Uptime: 00:04:17
Downstream neighbors:
Interface: ge-0/0/8.0
10.1.1.1 State: Join Flags: S Timeout: Infinity
Uptime: 00:04:17 Time since last Join: 00:04:17
Step 4.6
Issue the show multicast route extensive command to determine
whether multicast data is being forwarded by your router for all three multicast
groups.
lab@srxA-1> show multicast route extensive
Instance: master Family: INET
Group: 224.221.1.1
Source: 172.18.120.2/32
Upstream interface: ge-0/0/4.0
Downstream interface list:
ge-0/0/8.0
Session description: Unknown
Statistics: 52 kBps, 98 pps, 30920 packets
Next-hop ID: 262143
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 0
Uptime: 00:05:16
Group: 232.221.2.2
Source: 172.18.120.2/32
Upstream interface: ge-0/0/4.0
Downstream interface list:
ge-0/0/8.0
Session description: Source specific multicast
Statistics: 1 kBps, 2 pps, 2671 packets
Next-hop ID: 262143
Upstream protocol: PIM
Route state: Active
Forwarding state: Forwarding
Cache lifetime/timeout: 360 seconds
Wrong incoming interface notifications: 0
Uptime: 00:04:57
Group: 232.221.3.3
Source: 172.18.120.2/32
Upstream interface: ge-0/0/4.0
Downstream interface list:
ge-0/0/8.0
Step 4.7
Log out of your assigned device using the exit command when complete.
lab@srxA-1> exit
srxA-1 (ttyu0)
login:
Overview
This lab demonstrates the implementation and testing of various class-of-service (CoS)
components in a network. In this lab, you use the CLI to configure and manipulate
configuration.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
• Configure multifield and behavior aggregate classifiers.
• Configure a policer for different traffic classes.
• Create drop profiles.
• Configure packet marking.
Part 1: Loading the Initial Configuration and Accessing the CoS Host
In this lab part, you use two CLI sessions to accomplish the lab’s goals. You will first
log in to your assigned SRX Series student device in the same manner as for
previous labs. Next, you will open a second session to your assigned student device
and then SSH from there to the CoS end-host device.
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the management network diagram to
determine the management address of your student device.
Step 1.2
Access the CLI on your student device using either the console, Telnet, or SSH as
directed by your instructor. Refer to the management network diagram for the
IP address associated with your student device. The following example uses a
simple Telnet access to srxA-1 with the Secure CRT program as a basis:
Step 1.3
Log in to the student device with the username lab using a password of lab123.
Note that both the name and password are case-sensitive. Enter configuration mode
and load the reset configuration file using the
load override /var/home/lab/ajer/lab9-start.config command.
After the configuration has been loaded, commit the changes before proceeding.
srxA-1 (ttyu0)
login: lab
[edit]
lab@srxA-1# load override ajer/lab9-start.config
load complete
[edit]
lab@srxA-1# commit
commit complete
Step 1.4
Open a second session to your assigned student device and log in with the
username lab using a password of lab123. From that session, log in to the
attached CoS host using SSH with a username of lab and a password of lab123.
Refer to the lab diagram as needed.
srxA-1 (ttyu0)
login: lab
Password:
Note
You will use the CoS host for the remainder
of the lab. If you have any problems
accessing the host, please see the
instructor.
In this lab part, you configure traffic classification with a multifield classifier and a
behavior aggregate. Once complete, you will use the CoS host to test your
configuration.
Step 2.1
Return to the CLI session on your SRX Series student device.
On the SRX Series device, navigate to the [edit class-of-service]
configuration hierarchy. Assign forwarding-class queue 4 with a class-name data.
[edit]
lab@srxA-1# edit class-of-service
[edit class-of-service]
lab@srxA-1#
Step 2.2
Navigate to the top of the configuration hierarchy. Create a firewall filter named
MF-class. In this firewall filter, create a term named scp that matches traffic from
destination-port 22. Set the action for term scp to forwarding-class data and
loss-priority low. Create a second term named accept, with an action to accept.
Apply the firewall filter MF-class as an input filter to the ge-0/0/8.0 interface.
When complete, issue the commit command to activate the changes.
[edit class-of-service]
lab@srxA-1# top
[edit]
lab@srxA-1# set firewall filter MF-class term scp from destination-port 22
[edit]
lab@srxA-1# set firewall filter MF-class term scp then forwarding-class data
[edit]
lab@srxA-1# set firewall filter MF-class term scp then loss-priority low
[edit]
lab@srxA-1# set firewall filter MF-class term accept then accept
[edit]
lab@srxA-1# set interfaces ge-0/0/8 unit 0 family inet filter input MF-class
[edit]
lab@srxA-1# show firewall
filter MF-class {
term scp {
from {
destination-port 22;
}
then {
loss-priority low;
forwarding-class data;
}
}
term accept {
then accept;
}
}
[edit]
lab@srxA-1# show class-of-service
forwarding-classes {
queue 4 data;
}
[edit]
lab@srxA-1# show interfaces ge-0/0/8
unit 0 {
family inet {
filter {
input MF-class;
}
address 10.1.1.1/30;
}
}
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
Step 2.3
Navigate to the [edit class-of-service] configuration hierarchy. Create a
DiffServ code point (DSCP) behavior aggregate classifier named BA-class. In this
classifier, import the default DSCP classification.
[edit]
lab@srxA-1# edit class-of-service
[edit class-of-service]
lab@srxA-1# set classifiers dscp BA-class import default
[edit class-of-service]
lab@srxA-1#
Step 2.4
Within the BA-class classifier created in the previous step, match on code points
ef and cs5 for forwarding-class expedited-forwarding. Set the loss priority to low.
[edit class-of-service]
lab@srxA-1# set classifiers dscp BA-class forwarding-class expedited-forwarding
loss-priority low code-points ef
[edit class-of-service]
lab@srxA-1# set classifiers dscp BA-class forwarding-class expedited-forwarding
loss-priority low code-points cs5
Step 2.5
Apply the BA-class behavior aggregate classifier to all gigabit interfaces on your
assigned student device. When complete, issue the commit command to activate
the changes.
[edit class-of-service]
lab@srxA-1# set interfaces ge-* unit * classifiers dscp BA-class
[edit class-of-service]
lab@srxA-1# show classifiers
dscp BA-class {
import default;
forwarding-class expedited-forwarding {
loss-priority low code-points [ ef cs5 ];
}
}
[edit class-of-service]
lab@srxA-1# show interfaces
ge-* {
unit * {
classifiers {
dscp BA-class;
}
}
}
[edit class-of-service]
lab@srxA-1# commit
commit complete
Step 2.6
Issue the run clear interfaces statistics all command to clear the
statistics for all interfaces.
[edit class-of-service]
lab@srxA-1# run clear interfaces statistics all
Step 2.7
Return to the CLI session on your CoS host.
On the CoS host, secure copy (scp) a file named smallfile.txt in a folder called
lab7files from the other team’s host to your local directory. Use the scp
cosZ:lab7files/smallfile.txt smallfile.txt command, where Z is
the number (1 or 2) of the other team, to complete this step.
Lab 9–6 • Implementing CoS Features in the Enterprise (Detailed) www.juniper.net
Advanced Junos Enterprise Routing
Note
The hosts are predefined with key
authentication; thus a password should not
be needed. If prompted for a password, use
lab123.
In this lab part, you configure policers and apply them using firewall filters. Different
policer actions are applied in this lab part.
Step 3.1
Navigate to the [edit firewall] configuration hierarchy. Create a policer
named port80 that discards traffic when the bandwidth exceeds 1 megabit. In
addition, set a burst size limit of 640 kilobytes for this policer.
[edit class-of-service]
lab@srxA-1# top edit firewall
[edit firewall]
lab@srxA-1# set policer port80 if-exceeding bandwidth-limit 1m
[edit firewall]
lab@srxA-1# set policer port80 if-exceeding burst-size-limit 640k
[edit firewall]
lab@srxA-1# set policer port80 then discard
[edit firewall]
lab@srxA-1#
Step 3.2
Create a new term named http-dst in the firewall filter MF-class. This new term
should match traffic destined to port 80. Set the action of the term to then
policer port80.
[edit firewall]
lab@srxA-1# set filter MF-class term http-dst from destination-port 80
[edit firewall]
lab@srxA-1# set filter MF-class term http-dst then policer port80
Step 3.3
Insert the new http-dst term before the term scp in the MF-class filter. When
complete, issue the commit command to activate the changes.
[edit firewall]
lab@srxA-1# insert filter MF-class term http-dst before term scp
[edit firewall]
lab@srxA-1# show filter MF-class
term http-dst {
from {
destination-port 80;
}
then policer port80;
}
term scp {
from {
destination-port 22;
}
then {
loss-priority low;
forwarding-class data;
}
}
term accept {
then accept;
}
[edit firewall]
lab@srxA-1# commit
commit complete
Step 3.4
Create a policer named voice-overflow. Set the policer’s action to
forwarding-class best-effort and loss-priority high if the bandwidth exceeds
3 megabits. In addition, set a burst size limit of 640 kilobytes for this policer.
[edit firewall]
lab@srxA-1# set policer voice-overflow if-exceeding bandwidth-limit 3m
[edit firewall]
lab@srxA-1# set policer voice-overflow if-exceeding burst-size-limit 640k
[edit firewall]
lab@srxA-1# set policer voice-overflow then forwarding-class best-effort
[edit firewall]
lab@srxA-1# set policer voice-overflow then loss-priority high
Step 3.5
Within the MF-class firewall filter, create a new term named voip-limit that
matches traffic with the DSCP class ef. Set the action of the term to then
policer voice-overflow.
[edit firewall]
lab@srxA-1# set filter MF-class term voip-limit then policer voice-overflow
Step 3.6
Insert the new voip-limit term before the term scp in the MF-class filter.
When complete, issue the commit command to activate the changes.
[edit firewall]
lab@srxA-1# insert filter MF-class term voip-limit before term scp
[edit firewall]
lab@srxA-1# show filter MF-class
term http-dst {
from {
destination-port 80;
}
then policer port80;
}
term voip-limit {
from {
dscp ef;
}
then policer voice-overflow;
}
term scp {
from {
destination-port 22;
}
then {
loss-priority low;
forwarding-class data;
}
}
term accept {
then accept;
}
[edit firewall]
lab@srxA-1# commit
commit complete
In this lab part, you configure and test schedulers and drop profiles.
Step 4.1
Navigate to the [edit class-of-service schedulers] configuration
hierarchy. Create the following five schedulers with the criteria listed in the table.
Name Criteria
be • transmit-rate percent 20
• priority low
• drop-profile-map loss-priority high
protocol any drop-profile aggressive
ef • priority high
• buffer-size percent 20
af • transmit-rate percent 20 exact
• priority medium-high
nc • transmit-rate percent 5
• priority low
data • transmit-rate percent 20
• priority medium-high
[edit firewall]
lab@srxA-1# top edit class-of-service schedulers
Step 4.2
Navigate to the [edit class-of-service drop-profiles] configuration
hierarchy. Create a drop profile named aggressive with the criteria listed in the
following table:
Drop-Profile Criteria
aggressive • fill-level 30 drop-probability 40
• fill-level 80 drop-probability 60
Scheduler-Map Mappings
my-sched-map • forwarding-class best-effort
scheduler be
• forwarding-class
expedited-forwarding scheduler ef
• forwarding-class assured-forwarding
scheduler af
• forwarding-class network-control
scheduler nc
• forwarding-class data scheduler data
Step 4.7
Navigate to the [edit class-of-service] configuration hierarchy. Apply the
scheduler-map my-sched-map to interface ge-0/0/1. Issue the commit
command to activate the changes.
[edit class-of-service scheduler-maps]
lab@srxA-1# up
[edit class-of-service]
lab@srxA-1# set interfaces ge-0/0/1 scheduler-map my-sched-map
[edit class-of-service]
lab@srxA-1# commit
commit complete
[edit class-of-service]
lab@srxA-1#
Step 4.8
Issue the command run clear interfaces statistics all to clear the
interface statistics for all interfaces.
[edit class-of-service]
lab@srxA-1# run clear interfaces statistics all
Step 4.11
Issue the run show interfaces queue ge-0/0/1 forwarding-class
best-effort command to view details about the best-effort queue.
[edit class-of-service]
lab@srxA-1# run show interfaces queue ge-0/0/1 forwarding-class best-effort
Physical interface: ge-0/0/1, Enabled, Physical link is Up
Interface index: 135, SNMP ifIndex: 508
Forwarding classes: 8 supported, 5 in use
Egress queues: 8 supported, 5 in use
Queue: 0, Forwarding classes: best-effort
Queued:
Packets : 77957 0 pps
Bytes : 76001724 0 bps
Transmitted:
Packets : 71644 0 pps
Bytes : 66461740 0 bps
Tail-dropped packets : 4634 0 pps
[edit class-of-service]
lab@srxA-1# set interfaces ge-0/0/8 unit 0 rewrite-rules dscp dscp-rewrite
[edit class-of-service]
lab@srxA-1# show interfaces ge-0/0/8
unit 0 {
rewrite-rules {
dscp dscp-rewrite;
}
}
[edit class-of-service]
lab@srxA-1# show rewrite-rules
dscp dscp-rewrite {
import default;
forwarding-class best-effort {
loss-priority low code-point af31;
}
}
[edit class-of-service]
lab@srxA-1# commit
commit complete
[edit class-of-service]
lab@srxA-1#
Step 5.4
Return to the CLI session on your CoS host.
On the CoS host, issue the sudo /usr/sbin/tshark -w icmp.cap -ni
eth1 -c 10 dst host srx command. Use lab123 for a password when
prompted.
Let the command run, and proceed to the next step.
[lab@cos2 ~]$ sudo /usr/sbin/tshark -w icmp.cap -ni eth1 -c 10 dst host srx
[sudo] password for lab:
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
Step 5.5
Return to the CLI session on your SRX Series student device.
On the SRX Series device, ping the other team’s CoS host from your SRX Series
device. Set the ToS byte to 96 and only send 10 pings. Refer to the network diagram
as needed.
Note
When using the ToS byte option when
pinging, it accounts for the entire 8 bit ToS
field of the IP header. The following is a
table representing AF31 and CS3 DSCP
class selectors in decimal, accounting for 6
and 8 bits:
CS3: ToS = 96 DSCP = 24
AF31 ToS = 104 DSCP = 26
[edit class-of-service]
lab@srxA-1# run ping peer-CoS-host tos 96 count 10
PING 20.1.1.2 (20.1.1.2): 56 data bytes
64 bytes from 20.1.1.2: icmp_seq=0 ttl=63 time=2.258 ms
64 bytes from 20.1.1.2: icmp_seq=1 ttl=63 time=1.803 ms
64 bytes from 20.1.1.2: icmp_seq=2 ttl=63 time=1.752 ms
...
Step 5.6
Return to the CLI session on your CoS host.
On the CoS host, the tshark command should have finished. Read the icmp.cap
output file matching for the DSCP field. Use the command
sudo /usr/sbin/tshark -r icmp.cap -V | egrep DSCP for this task.
If prompted for a password, use lab123.
[lab@CoS1 ~]$ sudo /usr/sbin/tshark -r icmp.cap -V | egrep DSCP
Running as user "root" and group "root". This could be dangerous.
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN:
0x00)
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN:
0x00)
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN:
0x00)
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN:
0x00)
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN:
0x00)
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN:
0x00)
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN:
0x00)
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN:
0x00)
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN:
0x00)
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN:
0x00)
Step 5.7
Using the exit command, log out of the CoS host and then log out of your second
SRX Series CLI session.
[lab@CoS1 ~]$ exit
logout
lab@srxA-1> exit
[edit]
lab@srxA-1# load override ajer/reset.config
load complete
[edit]
lab@srxA-1# commit and-quit
commit complete
Exiting configuration mode
lab@srxA-1> exit
srxA-1 (ttyu0)
login:
Overview
Within a local autonomous system (AS) topology, the internal BGP (IBGP) peers are fully
meshed to prevent routing loops from forming. A fully meshed network inherently has
scalability issues, which include the explicit configuration of all IBGP peer with the
addition of a new router. One method to alleviate the full mesh requirement and still
ensure a loop-free BGP topology is route reflection. Route reflection provides a
loop-detection mechanism within IBGP to allow IBGP routes to be readvertised to other
IBGP peers.
In this lab, you use the lab diagrams titled “Lab 10: BGP Route Reflection—Parts 1–2,”
“Lab 10: BGP Route Reflection—Part 3,” and “Lab 10: BGP Route Reflection—Part 4” to
configure and monitor BGP route reflection.
By completing this lab, you will perform the following tasks:
• Load the extended topology.
• Verify standard IBGP behavior.
• Configure route reflection.
• Examine the reflected routes.
• Add a third client router.
• Verify routes on a third client router.
In this lab part, you load a baseline configuration that automatically configures your
router according to the lab diagram labeled “Lab 10: BGP Route Reflection—
Parts 1–2.”
Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the management network diagram to
determine the management address of your student device.
Step 1.2
Access the CLI on your student device using either the console, Telnet, or SSH as
directed by your instructor. Refer to the management network diagram for the
IP address associated with your student device. The following example uses a
simple Telnet access to srxA-1 with the Secure CRT program as a basis:
Step 1.3
Log in to the student device with the username lab using a password of lab123.
Note that both the name and password are case-sensitive. Enter configuration mode
and load the reset configuration file using the
load override /var/home/lab/ajer/lab10-start.config command.
After the configuration has been loaded, commit the changes before proceeding.
srxA-1 (ttyu0)
login: lab
Password:
[edit]
lab@srxA-1# load override ajer/lab10-start.config
load complete
[edit]
lab@srxA-1# commit
commit complete
In this lab part, you verify router-to-router connectivity and BGP operations using the
command-line interface (CLI).
Note
The lab topology makes extensive use of
virtual routing instances configured on the
SRX Series student device. When using
certain show commands, you must use the
instance option and include the routing
instance name (master, C1, C2, or C3).
Furthermore, you must also use the table
option to display routing table information
specific to the routing instance with which
you are working.
Step 2.1
To verify your IGP is working properly on your student device, issue the run show
ospf neighbor instance master command. You should have four OSPF
adjacencies in the Full state. Two adjacencies are to your remote partner’s student
device. The remaining two adjacencies are to each of your virtual routers (C1 and
C2).
[edit]
lab@srxA-1# run show ospf neighbor instance master
Address Interface State ID Pri Dead
172.20.1.2 ge-0/0/1.0 Full 192.168.2.1 128 36
172.20.3.2 ge-0/0/14.1 Full 192.168.1.2 128 35
172.20.4.2 ge-0/0/14.2 Full 192.168.1.3 128 35
172.20.2.2 ge-0/0/2.0 Full 192.168.2.1 128 39
Step 2.2
To verify your network has a full mesh of IBGP peers, issue the run show bgp
summary instance instance-name command three times, once each where
the instance name is master, C1, and C2. Your student device, and each of the two
virtual routers, should each have five established BGP peers at this time, one to
each of the other routers in the network.
[edit]
lab@srxA-1# run show bgp summary instance C1
Groups: 1 Peers: 5 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
C1.inet.0 3 3 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
192.168.1.1 64700 132 133 0 2 59:44 Establ
C1.inet.0: 0/0/0/0
192.168.1.3 64700 133 131 0 0 59:40 Establ
C1.inet.0: 1/1/1/0
192.168.2.1 64700 74 74 0 0 33:20 Establ
C1.inet.0: 0/0/0/0
192.168.2.2 64700 74 73 0 0 32:46 Establ
C1.inet.0: 1/1/1/0
192.168.2.3 64700 76 74 0 0 33:22 Establ
C1.inet.0: 1/1/1/0
[edit]
lab@srxA-1# run show bgp summary instance C2
Groups: 1 Peers: 5 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
C2.inet.0 3 3 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn
State|#Active/Received/Accepted/Damped...
192.168.1.1 64700 130 134 0 2 59:42 Establ
C2.inet.0: 0/0/0/0
192.168.1.2 64700 130 133 0 0 59:42 Establ
C2.inet.0: 1/1/1/0
192.168.2.1 64700 73 74 0 0 33:18 Establ
C2.inet.0: 0/0/0/0
192.168.2.2 64700 73 72 0 0 32:36 Establ
C2.inet.0: 1/1/1/0
192.168.2.3 64700 74 74 0 0 33:20 Establ
C2.inet.0: 1/1/1/0
[edit]
lab@srxA-1# run show route 200.200/16 table C1.inet.0
[edit]
lab@srxA-1# run show route 200.200/16 table C2.inet.0
To this point, we have verified that our fully meshed IBGP network is working
properly. All the 200.200/16 routes are being propagated throughout the network.
Now, imagine a scenario in which you need to add a new router to your network. To
maintain the BGP requirement of a full mesh, you would have to configure six IBGP
peering sessions on the new router, one for each of the existing routers.
Furthermore, you would have to configure this new router as an IBGP peer on every
other router in the network. What if you had 50 routers? 100? You can quickly see
that the BGP requirement of a full mesh does not scale well.
In this lab part, you reconfigure your current network into a route-reflected network.
Use the lab diagram title “Lab 10: BGP Route Reflection—Part 3” for this section.
Step 3.1
Navigate to the [edit protocols bgp] hierarchy and issue the show
command to view the current BGP configuration for your student device.
[edit]
lab@srxA-1# edit protocols bgp
Note
Before proceeding, ensure that the remote
student team in your pod finishes the
previous step.
Step 3.9
Navigate to the [edit protocols bgp group rr-cluster] hierarchy. Use
the cluster statement to configure the cluster ID as shown on your lab diagram.
When complete, issue the commit command to activate your changes.
Note
Before proceeding, ensure that the remote
student team in your pod finishes the
previous step.
Step 3.10
Issue the run show route 200.200/16 table table-name command
three times, once each where the table name is inet.0, C1.inet.0, and
C2.inet.0.
Note
It might take a few moments for the routes
to propagate and populate the tables.
Step 3.11
Issue a run show route prefix/24 table C1.inet.0 detail
command, where prefix is the route advertised from your local C2 virtual router.
[edit protocols bgp group rr-cluster]
lab@srxA-1# run show route prefix/24 table C1.inet.0 detail
Step 3.12
Issue a run show route prefix/24 table C1.inet.0 detail
command, where prefix is the route advertised from the remote C1 virtual router.
[edit protocols bgp group rr-cluster]
lab@srxA-1# run show route prefix/24 table C1.inet.0 detail
Use the lab diagram titled “Lab 10: BGP Route Reflection—Part 4” for the remainder
of this lab.
In this lab part, both teams add a new virtual router to the network. Refer to the lab
diagram for your locally attached C3 virtual router. Now that we have a working,
route-reflector setup, adding a new router is quickly and easily accomplished.
Your local C3 router has been partially configured for you. On your assigned student
device, you first add the necessary configuration to bring up the new router in OSPF.
Next, you add this new router to your route-reflector cluster. Finally, you configure
BGP on the C3 virtual router and verify it is receiving routes from the other virtual
routers.
Step 4.1
Navigate to the [edit protocols ospf area 0.0.0.0] hierarchy. Add the
ge-0/0/14.3 interface to Area 0 with the interface-type p2p option. When
complete, issue the commit command to activate your changes.
[edit protocols bgp group rr-cluster]
lab@srxA-1# top edit protocols ospf area 0
Step 4.3
Verify IGP connectivity by issuing the
run ping local-C3-loopback-address rapid command.
[edit protocols ospf area 0.0.0.0]
lab@srxA-1# run ping local-C3-loopback-address rapid
PING 192.168.1.4 (192.168.1.4): 56 data bytes
!!!!!
--- 192.168.1.4 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.259/3.589/7.916/2.581 ms
Step 4.4
Navigate to the [edit protocols bgp group rr-cluster] hierarchy. Add
your local C3 router’s loopback address as a neighbor in the rr-cluster group.
[edit protocols ospf area 0.0.0.0]
lab@srxA-1# top edit protocols bgp group rr-cluster
Note
Before proceeding, ensure that the remote
student team in your pod finishes the
previous step.
Step 4.8
Issue the run show route 200.200/16 table C3.inet.0 command to
verify your C3 router is receiving routes from the other virtual routers in the network.
[edit routing-instances C3 protocols bgp]
lab@srxA-1# run show route 200.200/16 table C3.inet.0
Step 4.9
Navigate to the top hierarchy level and issue the
load override /var/home/lab/ajer/reset.config command to load
the reset configuration file. Commit the changes, return to operational mode, and
then log out of your assigned device.
[edit routing-instances C3 protocols bgp]
lab@srxA-1# top
[edit]
lab@srxA-1# load override ajer/reset.config
load complete
[edit]
lab@srxA-1# commit and-quit
commit complete
Exiting configuration mode
lab@srxA-1> exit
srxA-1 (ttyu0)
login:
STOP Tell your instructor that you have completed Lab 10.