ShortestPathFirst Network Architecture and Design, and Information Security Best Practices

18Jan/103

Facilitating Firewall Filter Configuration in JUNOS using ‘apply-path’

Undoubtedly, one of the coolest features in JUNOS is the apply-path statement. Using apply-path, an operator can configure a prefix-list which comprises IP prefixes linked to a defined path within JUNOS. This facilitates tasks like configuring firewall filters to allow traffic from configured BGP neighbors, making them highly dynamic.

For example, suppose we have the following configuration:

system {
    ntp {
        server 192.168.70.10;
        server 192.168.72.10;
    }
}
protocols {
    bgp {
        group ibgp {
            type internal;
            neighbor 192.168.50.100;
            neighbor 192.168.50.101;
            neighbor 192.168.50.102;
            neighbor 192.168.50.103;
            neighbor 192.168.50.104;
            neighbor 192.168.50.105;
        }
    }
}

Let's assume we want to restrict BGP and NTP traffic to only those peers with whom we wish to peer with.  Without the use of apply-paths, we'd have to configure a prefix-list or add individual source-address statements comprising all of the above addresses and add that to our firewall filter configuration, as in the following:

policy-options {
    prefix-list bgp-peers {
        192.168.50.100/32;
        192.168.50.101/32;
        192.168.50.102/32;
        192.168.50.103/32;
        192.168.50.104/32;
        192.168.50.105/32;

    }
    prefix-list ntp {
        192.168.70.10/32;
        192.168.72.10/32;
    }
}
firewall {
    filter re-protect {
        term bgp {
            from {
                prefix-list {
                    bgp-peers;
                }
                protocol tcp;
                port bgp;
            }
            then accept;
        }
        term ntp {
            from {
                prefix-list {
                    ntp;
                }
                protocol udp;
                port ntp;
            }
            then accept;
        }
    }
}

As you can see, that's a lot of redundant typing especially considering we've already configured these under their respective configuration stanzas within JUNOS.  The above example might not seem like a lot, but if you're looking at an ISP edge router it wouldn't be uncommon to see several hundred such BGP neighbor statements.  Now multiply that across all of your devices in your network and you will quickly see that prefix-list maintenance can quickly become cumbersome.

Enter the apply-path statement.  The idea behind the apply-path statement was to create a method whereby prefix-lists could be created dynamically by simply referencing other portions of the configuration, thus eliminating most of the effort required to maintain a prefix list.  The path consists of elements separated by spaces.  Each element matches a specific keyword or identifier within the configuration, and you can use wildcards to match more than one identifier.  Wildcards must be enclosed in angle brackets, for example, <*>.

As an example, let us take a look at how the above prefix-list definition could be simplified:

policy-options {
    prefix-list bgp-peers {
        apply-path "protocols bgp group <*> neighbor <*>";
    }
    prefix-list ntp {
        apply-path "system ntp server <*>";
    }
}

With the above we've eliminated 8 lines of code and replaced it with 2.  The apply-path statement is telling the prefix-list to be generated dynamically by looking at the "protocols bgp group <*> neighbor <*>" and "system ntp server <*>" portions of the configuration. 

Although this has simplified the configuration greatly, it comes at the expense of being able to easily identify which addresses are part of a prefix-list.  In order to properly determine if the apply-path statement is working correctly and also to identify those addresses which are part of the prefix list, we can use the "show | display inheritence" command, as in the following:

root@jncie-lab# show | display inheritance
prefix-list bgp-peers {
    ##
    ## apply-path was expanded to:
    ##     192.168.50.100/32;
    ##     192.168.50.101/32;
    ##     192.168.50.102/32;
    ##     192.168.50.103/32;
    ##     192.168.50.104/32;
    ##     192.168.50.105/32;
    ##
    apply-path "protocols bgp group <*> neighbor <*>";
}
prefix-list ntp {
    ##
    ## apply-path was expanded to:
    ##     192.168.70.10;
    ##     192.168.72.10;
    ##
    apply-path "system ntp server <*>";
}

In closing, the use of apply-paths in an operational network assists in hardening a network, and can dramatically reduce the operational overhead of maintaining prefix-lists.  In addition, it also helps to eliminate configuration errors in which the address added to the prefix list don't match that configured in respective portions within the JUNOS configuration.

Post to Twitter Post to Delicious Post to Digg Post to Facebook Post to Google Buzz Send Gmail Post to LinkedIn Post to Slashdot Post to Technorati

13Jan/109

Preparation Tips for the JNCIP-M/T and JNCIE-M/T Exams

So it's been a while since I've posted, and I'm just now getting to a point where I can start writing a bit more, not to mention feeling quite a bit more well rested after a grueling month of December. I was quite busy during the last month as I was doing last minute preparations for my JNCIE-M/T exam scheduled for Dec. 17th, not to mention trying to wrap up several projects before years end. I'm delighted to say that I passed the exam and am now the proud recipient of the highly sought-after JNCIE-M/T designation!  I'd like to take a few moments to share about my experiences with the rest of you who may also decide to pursue this certification. 

Before I delve into the specifics of the JNCIP-M/T and JNCIE-M/T preparations, let me suggest that anyone who is interested in pursuing this track start out with the JNCIA-M/T certification, prior to moving to the JNCIS-M/T. While it is possible to skip directly to the JNCIS-M/T certification, there is so much useful information available in the 'JNCIA Study Guide' that I strongly believe it should be at the top of the list for those who are just starting out with JUNOS.

As for JNCIP-M/T, I prepared entirely using the 'JNCIP Study Guide' by Harry Reynolds. Although this book is long out of print, the Study Guide is available as a free download from Juniper's website, as are the rest of the Study Guides for the Service Provider track. For actual hands-on, I used a testbed comprised entirely of Juniper Olives running in VMware. Yes, it is possible to use an Olive lab exclusively in order to do EVERYTHING needed to prepare for this exam. As this exam is mostly focused on BGP and IGPs there is nothing which actually requires a hardware based PFE or dedicated ASICs, as such an Olive is perfectly acceptable for test preparation.

If you decide to pursue this route and do preparations exclusively in this manner, there are a few things to keep in mind. I've found that the initial install of JUNOS requires quite a bit more memory than it does once its finally completed. I was able to successfully run a VM Olive running JUNOS 8.1 (at the time of this writing JUNOS 8.1 was the version being used in the exam) with as little as 48 MB of memory, however CLI response time was incredibly slow. I've found the sweet spot to be right at around 96MB of RAM for each Olive VM image.

In order to follow through the examples in the JNCIP Study Guide, you're going to want to have at least 8 Olive VMs running simultaneously (7 for the actual routers comprising the student's testbed and another Olive to simulate the EBGP peers using Virtual Routers).  Make sure you have at least 768 MB of available memory you can allocate to your VMs.  Depending on what version of VMware you are running, you might need to tweak the vmnet interfaces so that each Olive has enough fxp0s, and you might also need to stitch them together logically within the VMware configuration files.  Be prepared to get under the hood of VMware configuration in order to get all this working correctly.  Perhaps a better option would be to configure an ESX or ESXi Server and run your images off a high-powered server, where you have loads of memory and virtual switching capabilities.  Another option is to utilize a single hardware-based chassis, such as the MX240 and segment this using Logical Routers (see below for details on this configuration).

Preparing for the JNCIE-M/T exam is a bit more difficult, as it requires actual hardware to perform many of the tasks required of this exam.  Many of the tasks like setting up Multicast or Layer 2 VPN srequire dedicated hardware within the PFE, so using Olives is not an option.  Never fear, it is entirely possible to prepare for this exam using as little as a single MX240 coupled with Logical Routers (Logical Systems in JUNOS 9.3 and above).  You will need a total of ~40 connections to set this lab up so get your hands on a high density 40x1GE card and a bunch of fiber and you should be ready to go.  Make sure the card you use is capable of Layer 3 services, as cards capable of running only Layer 2 services will fall short of many of the configuration tasks.  If you're short on SFPs or just don't have enough physical ports, it's also possible to use logical tunnels to stitch your logical routers together, as in the following example:

 logical-systems {
    dc {
        interfaces {
            lt-0/0/10 {
                unit 0 {
                    description dc->r7;
                    encapsulation ethernet;
                    peer-unit 1;
                    family inet {
                        address 10.0.8.13/30;
                    }
                    family iso;
                }
            }
        }
    }
    r7 {
        interfaces {
            lt-0/0/10 {
                unit 1 {
                    description r7->dc;
                    encapsulation ethernet;
                    peer-unit 0;
                    family inet {
                        address 10.0.8.14/30;
                    }
                    family iso;
                }
            }
     }
}
chassis {
    fpc 0 {
        pic 0 {
            tunnel-services {
                bandwidth 1g;
            }
        }
    }
    network-services ip;
}
 

 
The last bit is required in order to make sure you allocate a fixed amount of bandwidth on the PFE for the logical tunnels.  The coolest thing about the logical tunnels feature within JUNOS is that you can actually configure them with Ethernet, Frame Relay, or a host of other encapsulation types.  Logical tunnel interfaces behave just like regular interfaces and it's entirely possible to configure things like IS-IS across them, as can be seen in the above example where 'family iso' has been enabled.

Navigating the CLI is a bit unwieldy using Logical Routers if you're working from the root of the physical device, so its highly advisable to configure individual user accounts for each logical router.  This will enable you to log in to each logical router and be positioned within the root of that logical router as if you were in the root of a real physical router.  This can be accomplished with the following configuration:

system {
        class dc {
            idle-timeout 0;
            logical-system dc;
            permissions all;
        class r7 {
            idle-timeout 0;
            logical-system r7;
            permissions all;
        }
        user dc {
            uid 2014;
            class dc;
            authentication {
                encrypted-password "xxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
            }
        }
        user r7 {
            uid 2010;
            class r7;
            authentication {
                encrypted-password "xxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
            }
        }
    }
}
 

 

In addition to the above lab setup, I used the 'JNCIE Study Guide' from Harry Reynolds.  While this is an excellent book in preparation for the exam, my advice is to make sure you also read through the 'MPLS Applications', 'Multicast', and 'VPN' Configuration Guides, and be familiar with as many knobs and configuration options as possible.  You are also going to want to make sure you understand IS-IS and OSPF as well as BGP in an even deeper fashion than that required in the JNCIP-M/T exam.

As a word of note, in preparing for both the JNCIP-M/T and the JNCIE-M/T exams, make sure you have a good handle on how to use 'load merge terminal relative', 'load patch terminal', and when to copy and paste portions of code simply using 'show | display set'.  It's equally important to know which one of the above commands to use in a given situation. For example, when copying changes to several stanzas from one router to another, it's often quite a bit easier to use the 'load patch' command as you won't have to copy snippets from portions of different stanzas into a notepad prior to loading into the target router. Little things like this can save quite a bit of time and will come in handy when your time would be better served trying to focus on troubleshooting why your IGP isn't coming up.

Finally, I should mention that I also utilized the services of Proteus Networks which offers remote-proctored JNCIP-M/T, JNCIE-M/T and JNCIE-ER practice exams on their lab gear.  For $800, their package consists of two 8 hour labs comprising a wide variety of topics you are likely to see on the exam.  When you are finished with each, they will grade it and give you feedback on how well you performed.  What I liked about Proteus is that they even let me play around with the gear after my exam was graded, and allowed me to go and fix some of my mistakes.  In addition, they were highly responsive to my emails, and answered all of my questions in a timely manner.  Looking back, I don't think I would have been able to pass the JNCIE-M/T exam without the use of their services as there were several subject areas identified throughout their exam which required additional focus.  In my opinion, their remote-proctored exams are a genuine bargain for the price and anyone who is preparing for the JNCIE exams should seriously investigate their offerings.

All in all, the total study time for JNCIP-M/T was approximately 2 months, and the total study time for JNCIE-M/T was approximately 3 months.  This usually comprised about an hour or two each day during the week reading, and anywhere from 10-16 hours of lab time on the weekends.  I'm lucky in that I have also worked in a Service Provider environment for several years where I was able to intimately familiarize myself with many of these technologies over a span of many years.  In addition, I have spent a considerable amount of time reading a plethora of books on a wide variety of networking technologies.  If you are new to MPLS, Multicast, Layer 2/3 VPNs, QoS, or IPv6, you may want to factor in additional time into your study schedule.  The trick here is to be consistent and develop a schedule which you can live with - you will be infinitely better served by spending a few hours a day over a span of several months rather than hundreds of hours the few weeks before your exam.  Slow and steady wins the race here... you'll be surprised at how quick a few months can go by when you're motivated and committed to something!

I hope this helps those of you who are pursuing either the JNCIP-M/T or the JNCIE-M/T certifications, and I wish you the best of luck in your endeavors!

Post to Twitter Post to Delicious Post to Digg Post to Facebook Post to Google Buzz Send Gmail Post to LinkedIn Post to Slashdot Post to Technorati