BGP Route Reflector – Juniper

Configuring IBGP can be very painful because every router in network has to have peering session that must be manually configured and full mash is a must for IBGP.
There is a formula that you can calculate how many sessions is needed in network. Let’s say that you have 10 routers and that you have configure peer sessions with all routers in AS.
N*(N-1)/2
N represent total number of routers in AS. For example let’s say that we have 10 routers, we come up to 45 sessions that must be configured.
There is tool that help as to reduce number of needed sessions in network and that is route reflector.
Route reflection allows creating peer relationships only with designated route reflector router.
In that case you will need only IBGP peer session between route reflector clients and selected route reflector router.
Router reflector and router reflector clients must be in the same cluster.
You can have more than one router reflector router under same AS, also to enable connectivity for router reflector client and nonclient routers under AS, route reflector router must be full meshed with all routers in AS.

BFD Bidirectional Forwarding Protocol - Juniper

Under Junos there is several HA (High Availability) features, like NSR, Graceful Restart, Graceful RE Switchover and of course BFD. I’ll be briefly write about it and I’ll configure it on two Juniper routers under OSPF process.

What the BFD is actually?

Bidirectional Forwarding Protocol is protocol that is used to detect faults between two forwarding engines connected by link.

BFD is vendor and protocol independent and operates on top of any data protocol (network layer, link layer, tunnels, etc.)  It is very light weight on resources (CPU, Memory) in compered with other protocol faults mechanism, such Hello under OSPF which is very slow compared with BFD.

The benefits of BFD are that provide a single method for managing protocol timers.

Supported protocols are:

• OSPF
• Static
• IS-IS
• RIP
• iBGP
• EBGP
• RSVP

NTP Cisco - Juniper MD5 Authentication

In this example I'm going to configure Cisco router to by NTP server and the source for his time will be local configured time, best practice is to use more then one NTP server and use GPS Network Time Server (hardware or software)

 

R1#show clock

*00:06:25.899 UTC Fri Mar 1 2002

R1#clock set 21:51:50 22 july 2013  

- Use clock set command

SolarWinds SFTP & SCP Server Running Problem

I download and installed the SolarWinds SFTP & SCP Server, you can find lots of free network tools at theirs site. 

For free tolls follow the link http://www.solarwinds.com/downloads/

But I had to point to the problem that I have lunching the SFTP & SCP server. When I run the application everything looks just fine, except the service is not running and cannot be started.

See pictures below:

Oracle VM And Windows Server 2012 Nic Problem

I installed Windows Server 2012 for testing in Oracle VM, and during installation I used default configuration for VM. When I logged on and try to configure network settings there wasn't an network adapter at all.

 

Backup Configuration Using Kron Schedule

You want to make sure your router automatically saves its configuration on scheduled time? For that purpose you can use kron command on router or switch.

But (yes, there is a but :)) , first you have to configure accurate time on router, to do that use clock set or use ntp server command.

In this lab I'm using TFTP server (tftpd32) for backing up my config, you can use FTP or SCP and kron command to automatically backup configuration.

Here you can download TFTP, SFTP and SCP servers without any fees. 

http://www.solarwinds.com/

After setting the clock, disable pop-up questions when using copy command, those questions are appears beside you supply the complete source and destination file name in the command line, the IOS  will still ask you a question about ip address of TFTP server and file name destination.

To solve the problem use file prompt quit command (the default value is noisy), after that you can start configuring kron scheduler.

Step 1.

HLabR1(config)#kron policy-list SAVECONFIG

HLabR1(config-kron-policy)#cli copy running-config tftp://10.2.0.2/config

HLabR1(config-kron-policy)#exit

HLabR1(config)#kron occurrence SAVE at 21:51 Sun recurring

HLabR1(config)#policy-list SAVECONFIG

Step 2.

Use debug kron all to see what  going to happen at scheduled time.

Jul  7 21:51:16.656: Kron CLI return 0'

**CLI 'copy running-config tftp://10.2.0.2/config':

!!1253 bytes copied in 3.268 secs (383 bytes/sec)'

Jul  7 21:51:16.664: Major 4, Minor 7

Jul  7 21:51:16.664: Respond to end of CLI Process

Use show kron schedule command to see when will run again.

 

SSH Optional Configuration And Testing

I won't write about how is SSH secure than Telnet and that is recommended practice for remote administration network devices, that all Telnet traffic is forwarded in plain text etc, etc, because you already know that.

I will point for optional configuration that is equally needed (in my opinion), but I will also point to steps that you must configure first.

Step 1: Configure the IP domain name

Step 2: Generate one-way secret keys

Step 3: Verify or create a local database entry

Step 4: Enable VTY inbound SSH sessions

Optionally you can configure SSH version, timeout period and number of authentication retries.

You can configure the time that router waits for SSH client to respond for session by configuring command ip ssh time-out seconds in global configuration mode, default value is 120 seconds.

Also you can control how many attempts user can retries for password during connection with SSH client. The command is ip ssh authentication-retries value , by default user has tree attempts before being disconnected.

During configuration and testing I notice that real numbers of attempts is configured value plus 1, if you enter ip ssh authentication-retries 2  user will have tree times to repeat the password. I tried with value from 0 to 5 and every time I tried to connect I had one plus attempt beside configured value.

As you can see on screen shots and running SSH configuration you get one plus attempt for free. :)

Best Practice Access List Branch Office Router (Firewall)

At Branch office you will not always use ASA for security and VPN connectivity with Central office, best way is to use router that you already have at Branch office using Access control list.

 

This approach is best for this scenario, you can change, add or modify for your needs.