iNET ZERO logo

Check out my iNET ZERO more ...



Recently, a customer had several issues going on at the same time. The customer had an MPLS L3VPN with a default route towards a central firewall in more ...



A little while ago, I had the pleasure of reviewing the day one book ‘vMX Up and Running’. This book, written by Matt Dinham, is the latest addition to the Juniper day one library and aims to get you started on the vMX.


vMX fron

more ...



Packet loss can be caused by all sorts of reasons. Could be faulty hardware, a software issue on a device, a congested link or some policers and shapers that are working against you. In order to fix packet loss in a network, you first have pinpoint where the packets are being dropped. Pinpointing where the packets are dropped is not always easy, especially if the packet loss is low, intermittent and affecting only 1 traffic flow specifically.

Suppose that a VM, sitting behind several switches and a router, is experiencing packet loss:


troubleshooting with firewall filters

more ...



Configuring Q-in-Q, or dot1q tunneling can lead to some confusion. I’ve seen confusion due to changes in the new enhanced Layer 2 CLI configuration and because of a mismatch in Ethertype. This is a short article on how dot1q-tunneling can be configured on an EX, QFX or VCF. I’ll configure a dot1q tunnel between two EX4300's and between a VCF and an EX4200.


QinQ
more ...



Lately, I’ve been using Python to eliminate some boring chores. I wanted to share a short example on how you could use Netmiko to connect to multiple devices.


Python logo
more ...



Somewhere in 2012, I started working for an ISP that offers datacenter, connectivity, cloud and telecom services. I started out as the sole network engineer in the engineering department. At that time, the company already had a long standing relationship with Juniper. Juniper was, and still is, the vendor that supplies most of the networking equipment. more ...



iNET ZERO logo

Check out my iNET ZERO guest blog about more ...



Normally, I use Huawei for all sorts of CPE stuff. But this time, instead of connecting a Huawei CPE to an MPLS VPN, I thought I’d use Huawei to create the Layer 3 MPLS VPN itself. Using eNSP, the free and open Enterprise Simulation Platform, I created the following scenario:


Huawei MPLS VPN
more ...

LSPs can be configured with a whole variety of characteristics. You can police traffic that is send onto an LSP, steer the LSP through certain location in the network and much more. When you create several LSPs towards the same destination router, prefixes using that router as a next-hop are randomly divided across those LSPs. What I recently found out is that you can map traffic onto a specific LSP using policies. Exercising control in this way offers some interesting possibilities. Steering or policing entire services by sending them onto a specific LSP is just one of the possibilities.

Let’s walk through a configuration example where we’ll use the BGP community ‘peer’ for policy based LSP mapping. Let’s look at the scenario before any policy is created:

Policy based LSP mapping
more ...

What your BGP peers decide to advertise is out of your control. What you accept is not. This is a short article on basic route-filtering using Junos. The more ...



iNET ZERO logo

Check out my iNET ZERO guest blog about more ...



This article is about syslog and Junos. I’ll go over several examples on what you can configure under the [ system syslog ] stanza. Examples used here are snippets of configuration that I think benefits a device running Junos OS. Apart from logging to the obvious syslog server, I’ll also log to a file and to a user in this article.

Junos OS logo

more ...

Though the OSPFv3 protocol does not offer a built-in authentication method, IPsec can be used to secure protocol exchanges between devices running OSPFv3. To authenticate OSPFv3 on a Juniper device, you more ...



The past few weeks I have been working on the replacement of several core nodes. After finally installing the last MX, I wanted revise several configurations that were applied. One of the configurations that I revised was the configuration used in more ...



Recently, I’ve been having some fun with the vSRX. I wanted to share the lab I created so others can see how easy it is to get things going with the vSRX. The vSRX doesn’t require a lot of resources and it is a really nice way to get acquainted with both the routing and firewalling capabilities that Junos has to offer. Labbing with a vSRX allows you to quickly test and play with routing-protocols (OSPF(v3), IS-IS, BGP), stateful firewalling, NAT, IPsec or even MPLS. This guide offers an insight into how you can setup a lab and it will provide you with some basic configurations to get started yourself. .

vSRX lab setup

more ...

Had a quick play with the Brocade Vyatta 5415 vRouter today.
more ...



After creating a single-homed layer 2 EVPN, let’s add some layer 3 routing and see in what way EVPN can benefit the datacenter.

But first, have a look at a situation wherein a VPLS is connecting two data centers together:

EVPN

In the picture above, a VPLS exists between two bottom routers. By placing an IRB interface more...



For a while now I wanted to try out EVPN on the MX. I decided to go for the easiest of scenarios that EVPN has to offer: a single-homed VLAN-based EVPN:

EVPN

There is a lot to tell about EVPN. For instance, EVPN uses MP-BGP in a way that is similar to MPLS VPN and MAC learning does not occur in the data plane but in the control plane. While there is a lot of interesting theory to go on about, the focus in this article is to keep it simple and short. First, it more...



vSRX

Lagging behind with the vSRX (I actually never used it up until now) I decided to play around with it a bit. Apart from trying it out as a firewall, I wanted to see if I could do some interesting labs with the vSRX. I figured that 10 or so vSRXs would make for a nice lab suitable to train others.

more...

Turning on IPFIX (IP Flow Information Export) on Juniper MX is a good idea if you want to know what’s going on. Not only can it provide you with a tremendous insight into the traffic traversing your network, you can also use the information provided by IPFIX to automatically divert traffic or thwart a DDOS.

more...

DDOS

A DDOS can hit your network like a tsunami. Recently, I had the pleasure of designing and integrating a solution that can automatically thwart a DDOS attack by making use of a third party scrubbing center and a GenieATM.

more...

Juniper fan of the month

more...

For future use cases, I was interested in knowing how a Layer 3 VPN (L3VPN) would behave on a QFX5100. For this reason, I created the following lab;

QFX5100 Layer 3 VPN

more...

Connecting other parts of the network to the VCF in a redundant way using Link Aggregation Groups (LAG) is very easy. A LAG can combine several Ethernet interfaces into a single logical link called an Aggregate Ethernet (AE) interface. When you are running a VCF, you’d best spread this LAG across multiple member switches. This way, during an NSSU or during the loss of 1 node, everything in your network will keep on running.

Virtual Chassis Fabric LAG

more...

Having to deal with a network edge that organically grew as time passed, evolving into an ever more complicated constellation of switches, is frustrating. Looming in the back of my mind were choices made in a past I had no part of. Those choices strained growth and frustrated my attempt to keep a clear overview of the network.

In this sense, redoing the network edge with the Virtual Chassis Fabric offered a breath of fresh air in the data center. I installed and integrated a Virtual Chassis Fabric (VCF) into the network not too long ago. The speed and ease with which I was able to deploy the VCF was really impressive. It was quite an exciting project, playing with this relatively new architecture. After completing the integration, I thought I’d share my reasons for choosing the VCF and show you the basic configuration.

Virtual Chassis Fabric

more...

Today I configured an IPsec VPN between a Huawei AR1220F and a Juniper M104. I wanted to keep the configuration around for future reference. The configuration on a Huawei is rather straightforward. To put the Huawei AR IPsec configuration in a picture:

Huawei AR IPsec

more...

An example configuration that will let you create an IPsec VPN that originates from an MPLS-VPN. I created the following scenario:

mx services mic ipsec

Used and verified the following configuration more...



bird bgp filter

Coming from Junos, I found that manipulating BGP path attributes in BIRD is both straightforward and powerful. I wanted to share more...


In this example, a server running BIRD will function as a route-reflector for two MX-routers:


bird route reflector

more...

I’ve been wanting to play with The BIRD Internet Routing Daemon for some time now. This weekend, I finally got around to it. Since I’m mostly working with MX routers now, I thought I’d share the following example configuration:


bird mx ospf


more...

When you are confronted with a DDOS, what’s better than to duck and cover? Not having to duck at all.

How can you achieve this? By working with your IP-transits and using a Remotely-Triggered Black Hole (RTBH). More often than not do IP transits offer such a complementary service.


more...

Since I am interested in MPLS VPNs, I thought I’d share a quick and easy example configuration. In this example, I'll enable both NAT and stateful firewalling for an MPLS VPN. The topology on which I was trying out this configuration was the following:


mx ddos duck and cover

more...

DDOS, the volumetric ones, can be a real pain. As soon as it hits, the links you have towards the rest of the world can become saturated and the entire company can come to a grinding halt. Here’s a tip on how to weather the storm: duck and cover.


mx ddos duck and cover

more...

Still playing around with a Services MIC (MS-MIC-16G) that is inserted into an MX104. Thought I’d share a small post on how to enable NAT for a simple scenario. There are over 10 different types of NAT that the Services MIC can provide you with. Here’s an example on how to have the MX104 perform NAPT-44 in the following scenario:


image-1

more...

This is a quick start guide to enable stateful firewalling on an MX router. In this example, I’ll enable the MS-MIC-16G on a MX104. After that, I’ll configure stateful firewalling, enabling communication between the loopback IP addresses of two routers:


ms-mic-16g goody

more...

Juniper MX routers, except for the MX80, are capable of having two routing-engines (RE). In this article, I’ll configure an MX480 with some of the high-availability features offered by Junos. By using these features, you can decrease the downtime normally associated with a RE failure to an absolute minimum.


MX dual RE


more...

Of course, you need to allow RSVP in the firewall filter you are using to protect the routing-engine. The book Juniper MX series covers this very in-depth in chapter 4. It offers a very extensive guide or example on how you could go about building a proper firewall filter to protect the RE.

Basically, what the book suggests is to use an input-list of several filters that is applied to the lo0 interface:


MX firewall filter rsvp
more...

After covering link-protection and node-link-protection, I realized that I forgot one aspect. You can make Junos install the pre-signaled bypass LSP into the forwarding table. This is done by more...


Protecting LSPs in an MPLS enabled network can save quite some downtime whenever a link or a node in your network fails. In this article, we’ll go through the configuration of both link-protection and node-link-protection. We’ll configure it for the following scenario:


scenario

more...

After examining fast-reroute, let’s delve into link and node-link protection. First I’ll briefly discover the theory. In a next post, I’ll configure and verify both protection methods on two LSPs.

The goal of link-protection is similar to that of fast-reroute; protecting traffic that is forwarded onto an LSP. Fast-reroute pre-signals detour LSPs. These detour LSPs can be used by an LSR to forward traffic in case of a link-failure. In the following picture, we can see that a link between Nero and Septimus is interrupted:


scenario
more...

Traffic sent across RSVP-signaled LSPs without any additional configuration is susceptible to quite some down-time when a node or a link in the network fails. In a previous article, I made an LSP more robust by configuring a primary and a secondary LSP. Let’s further enhance the LSP by configuring and verifying fast-reroute (FRR).

Our starting position is an LSP from Tiberius to Commodus:


scenario

The LSP more...


A failure somewhere in the network can cause for traffic traversing an RSVP-signaled LSP to drop. Several possibilities exist to reduce the impact a failure can have on RSVP-signaled LSPs. This article is about the creation of a secondary standby path in order to reduce downtime that is incurred upon a network failure somewhere along the RSVP-signaled LSP.

Let's make the label-switched-path between Tiberius and Commodus more robust by configuring the Tiberius router to setup two paths towards the Commodus router:


scenario

By default more...


This is a quick and short article on how to perform vlan-swapping on a Juniper QFX5100. I was used to tunneling vlans in a QFX5100 by using the push-operation available through a vlan-map. With this in mind I was struggling to get vlan translation on the QFX5100 working. I was trying to accomplish vlan-swapping through the same type of configuration.

Turns out swapping vlan-id’s is a lot easier. In the following lab setup, I will make the QFX translate vlans between two of the MX104’s interfaces:


scenario

On the MX104,more...


After completing a basic configuration on a set of MX routers in this article, we now have a set of MX routers enabled for RSVP signaled LSPs. Instead of creating a simple static route across an LSP, this article is about establishing an LDP session across RSVP signaled LSPs. That LDP session will be used to signal a Martini-draft style pseudowire;



scenario

A way to provide layer 2 services to customers is more...


This article is about the basic configuration on how to get an RSVP signaled MPLS LSP (label-switched path) working on a Juniper MX router. The focus will be on the minimum amount of configuration needed to create LSPs between the Tiberius and the Commodus router:



scenario

After we have established the LSPs, we’ll proceed more...






About me
.