Posts for: #Junos

Static Routing

Next Hop Values

On R2, verify that there is a BGP route to 1.1.1.1.

user1@R2>
user1@R2> show route 1.1.1.1

inet.0: 15 destinations, 15 routes (15 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32         *[BGP/170] 5d 13:58:29, localpref 100
                      AS path: 17 17 17 17 I, validation-state: unverified
                    >  to 10.10.10.1 via ge-0/0/1.0

On R1, configure static route to 10.22.1.32/27 with next-hop 10.10.10.2, preference 6. The ping from R1’s loopback to R2’s 10.22.1.34 interface must succeed. How RIB looks like, when a static route is configured with a next hop set to the IP address of the directly-attached host:

[Read more]

Restricting SSH Remote Access to Selected Management Stations

Lab Data

Topology

Rocky-Linux <—> Oob-Router <–> R1

Subnets

Rocky-Linux: .21 <- 192.168.201.0/24 -> Oob-Router:.1 <- 172.17.81.0/24 -> R1:.42

Purpose

Connecting to R1 from a remote machine using SSH must be restricted to a list of management stations whith authorized IP addresses.

Sample Configuration

root@R1> show configuration policy-options prefix-list WassimRocky 
192.168.201.0/24;
root@R1> 
root@R1> show configuration firewall family inet filter Filter1 
term AllowRocky {
    from {
        source-prefix-list {
            WassimRocky;
        }
        destination-port ssh;
    }
    then accept;
}
term PreventOthersSSH {
    from {
        destination-port ssh;
    }
    then {
        count CountSSHdiscards;         
        discard;
    }
}
term AllowOthers {
    then accept;
}
root@R1> show configuration interfaces lo0 unit 0 
family inet {
    filter {
        input Filter1;
    }
    address 1.1.1.1/32;
}
[Read more]

Activating And Reading Logs at the Protocol Level: Traceoptions

Provisional reality: Each BGP speaker is dropping the ingress BGP messages from the other BGP speaker.

Configuration:


user1@R2> show configuration protocols bgp group internPeers
type internal;
traceoptions {
    file bgpDebugWassim;
}
peer-as 22;
neighbor 4.4.4.4;

user1@R2>

Observed reality:

user1@R2> show log bgpDebugWassim
Jul  2 07:54:16 trace_on: Tracing to "/var/log//bgpDebugWassim" started
Jul  2 07:54:28.866558 advertising graceful restart receiving-speaker-only capability to neighbor 4.4.4.4 (Internal AS 22)
Jul  2 07:54:28.866776 advertising LLGR receiving-speaker-only capability to neighbor 4.4.4.4 (Internal AS 22)
Jul  2 07:54:28.871406 bgp_handle_notify:5119: NOTIFICATION received from 4.4.4.4 (Internal AS 22): code 6 (Cease) subcode 5 (Connection Rejected)
Jul  2 07:56:56.882622 advertising graceful restart receiving-speaker-only capability to neighbor 4.4.4.4 (Internal AS 22)
Jul  2 07:56:56.882686 advertising LLGR receiving-speaker-only capability to neighbor 4.4.4.4 (Internal AS 22)
Jul  2 07:56:56.889349 bgp_handle_notify:5119: NOTIFICATION received from 4.4.4.4 (Internal AS 22): code 6 (Cease) subcode 5 (Connection Rejected)

user1@R2>

Adjusted provisional reality: the BGP speakers do not recognize the source address of the received BGP messages. Action: set source addresses of BGP messages on both routers.

[Read more]