Juniper configuration recommendations/BCP

2020-10-08 Thread Forrest Christian (List Account) 

After nearly 30 years of being a cisco shop, I'm working on configuring our
first pair of Juniper MX204's to replace our current provider-edge cisco.

I've worked through enough of the Juniper documentation/books to have a
fairly good handle on how to configure these, but I wanted to check with
the list to see if there are any Juniper-Specific gotchas I might run into
that isn't documented well.

I've done a bit of googling and am either finding stuff that is largely
Cisco-specific or which is generic - all of which I'm rather familiar with
based on my past history.   Is there anything I should worry about which is
Juniper-specific?

-- 
- Forrest

Juniper configuration recommendations/BCP

2020-10-08 Thread Chriztoffer Hansen 


On 08/10/2020 11:37, Forrest Christian (List Account) wrote:
> Is there anything I should worry about
> which is Juniper-specific?

JUNOS default ARP timeout: 20 min.

If you connect to IXP's. Recommended ARP timeout: 4 hours.

Re: Fastly's Montreal POP offline

2020-10-08 Thread Eric Dugas via NANOG 
I got news this morning, they're investigating since Tuesday ~18:00. No ETA for 
now.

On Oct 8 2020, at 12:04 am, Eric Dugas  wrote:
> My PNI with them in Montreal is barely passing any traffic since yesterday 
> just before 18:00.
>
> Fastly is also on QIX in Montreal, and both LAGs shows no traffic since 
> yesterday, same time my PNI's traffic dropped.
> I've tried to reach peering@ and noc@ today but no replies so far and it's 
> been hours. If anyone from Fastly can reach me off-list or on-list.
> Eric

RE: [EXTERNAL] Juniper configuration recommendations/BCP

2020-10-08 Thread Mann, Jason via NANOG 
If using loopbacks on the router you have to have a firewall filter on it to 
permit traffic to the device even if you have a firewall filter on individual 
interfaces that would allow/deny traffic

From: NANOG  On Behalf Of Forrest 
Christian (List Account)
Sent: Thursday, October 8, 2020 3:38 AM
To: nanog list 
Subject: [EXTERNAL] Juniper configuration recommendations/BCP


After nearly 30 years of being a cisco shop, I'm working on configuring our 
first pair of Juniper MX204's to replace our current provider-edge cisco.

I've worked through enough of the Juniper documentation/books to have a fairly 
good handle on how to configure these, but I wanted to check with the list to 
see if there are any Juniper-Specific gotchas I might run into that isn't 
documented well.

I've done a bit of googling and am either finding stuff that is largely 
Cisco-specific or which is generic - all of which I'm rather familiar with 
based on my past history.   Is there anything I should worry about which is 
Juniper-specific?

--
- Forrest

Re: [EXTERNAL] Juniper configuration recommendations/BCP

2020-10-08 Thread Pierre LANCASTRE 
Hi

https://www.juniper.net/assets/kr/kr/local/pdf/books/tw-hardening-junos-devices-checklist.pdf

http://62.210.157.99/juniperdayone/TW_Hardening_Junos_Devices.pdf

Cheers

Pierre

Le jeu. 8 oct. 2020 à 16:59, Mann, Jason via NANOG  a
écrit :

> If using loopbacks on the router you have to have a firewall filter on it
> to permit traffic to the device even if you have a firewall filter on
> individual interfaces that would allow/deny traffic
>
>
>
> *From:* NANOG  * On Behalf Of *Forrest
> Christian (List Account)
> *Sent:* Thursday, October 8, 2020 3:38 AM
> *To:* nanog list 
> *Subject:* [EXTERNAL] Juniper configuration recommendations/BCP
>
>
>
> 
>
> After nearly 30 years of being a cisco shop, I'm working on configuring
> our first pair of Juniper MX204's to replace our current provider-edge
> cisco.
>
>
>
> I've worked through enough of the Juniper documentation/books to have a
> fairly good handle on how to configure these, but I wanted to check with
> the list to see if there are any Juniper-Specific gotchas I might run into
> that isn't documented well.
>
>
>
> I've done a bit of googling and am either finding stuff that is largely
> Cisco-specific or which is generic - all of which I'm rather familiar with
> based on my past history.   Is there anything I should worry about which is
> Juniper-specific?
>
>
>
> --
>
> - Forrest
>

Re: Juniper configuration recommendations/BCP

2020-10-08 Thread Justin Oeder 
If you are an OSPF shop, Cisco AD is 110 for internal and external
routes.  Juniper is 10 for internal and 150 for external.  This can be
changed via an export (maybe import) policy on the OSPF protocol.

There is no 'network' statement in the Junos world.  There are a few
different ways to solve this same problem.  Up to you how you do it.

Routing engine protection is much easier.  A firewall filter on the
loopback interface.  Here is a sample.  This is really where your BCP
starts.  
https://github.com/jcoeder/juniper-configurations/blob/master/protect-re.txt

Dynamic prefix-lists are pretty cool.  They allow you to create prefix-
list based on other sections of the configuration.

# In this first statement we use wildcards surrounding a . as this is
the format of an IPv4 address.
set policy-options prefix-list BGP_PEERS_DYNAMIC apply-path "protocols
bgp group <*> neighbor <*.*>"

# In this second statement we use wildcards surrounding a : as this is
the format of an IPv6 address.
set policy-options prefix-list BGP_PEERS_DYNAMIC_V6 apply-path
"protocols bgp group <*> neighbor <*:*>"

Justin

On Thu, 2020-10-08 at 03:37 -0600, Forrest Christian (List Account)
wrote:
> 
> After nearly 30 years of being a cisco shop, I'm working on
> configuring our first pair of Juniper MX204's to replace our current
> provider-edge cisco. 
> 
> I've worked through enough of the Juniper documentation/books to have
> a fairly good handle on how to configure these, but I wanted to check
> with the list to see if there are any Juniper-Specific gotchas I
> might run into that isn't documented well.  
> 
> I've done a bit of googling and am either finding stuff that is
> largely Cisco-specific or which is generic - all of which I'm
> rather familiar with based on my past history.   Is there anything I
> should worry about which is Juniper-specific?
> 
> -- 
> - Forrest

Re: Juniper configuration recommendations/BCP

2020-10-08 Thread Casey Russell via NANOG 
Forrest,

Between Jason and Justin, (and now others probably) they've captured what I
was already typing.  Basically, that as soon as you create a loopback
interface (with a L3 IP) you need to start planning your firewall filter
for it.  Most of it is as simple as creating filters for SSH and other
administrative access to the loopback address, but some of it is not at all
intuitive if you're coming from a Cisco/Brocade world.

The loopback filter protects the RE, and, can, in many cases affect traffic
flowing across transit interfaces, in a way that in a Cisco shop you would
never have never considered.  On a Juniper, if it will be processed in just
about any way by the routing engine (even just a few packets in the flow)
you need to account for that.  It's not as daunting as it sounds, but it
needs to be accounted for.  I'll let their comments fill in the rest,
because others have already provided good resources.

Sincerely,
Casey Russell
Network Engineer
[image: KanREN] 
[image: phone]785-856-9809
2029 Becker Drive, Suite 282
Lawrence, Kansas 66047
XSEDE Campus Champion
Certified Software Carpentry Instructor
[image: linkedin]

[image:
twitter]  [image: twitter]
 need support? 



On Thu, Oct 8, 2020 at 4:39 AM Forrest Christian (List Account) <
li...@packetflux.com> wrote:

> 
> After nearly 30 years of being a cisco shop, I'm working on configuring
> our first pair of Juniper MX204's to replace our current provider-edge
> cisco.
>
> I've worked through enough of the Juniper documentation/books to have a
> fairly good handle on how to configure these, but I wanted to check with
> the list to see if there are any Juniper-Specific gotchas I might run into
> that isn't documented well.
>
> I've done a bit of googling and am either finding stuff that is largely
> Cisco-specific or which is generic - all of which I'm rather familiar with
> based on my past history.   Is there anything I should worry about which is
> Juniper-specific?
>
> --
> - Forrest
>

RE: Juniper configuration recommendations/BCP

2020-10-08 Thread aaron1 
~30 years of being a Cisco IOS shop or Cisco IOS-XR shop?  A bit different.

 

Welcome to the SP-world of really nice JunOS

 

Conf

Blah blah blah

Commit check  <- will check your pending config for 
correctness

Commit | compare <- will tell you what is about to change (similar 
to IOS-XR “show commit change diff”

…if you don’t like it….

Rollback

…if you are nervous about breaking something and what to smoke test it…

Commit confirmed 2  <- allows you a couple minutes to see if the sky 
falls…if it does, it’ll all be good in 2 minutes when it reverses the change.  
XR has this too

…if you like it…

Commit

…if you still don’t like it…

Conf

Rollback 1

Commit

 

Gosh, there’s so much more

 

Built in monitor/sniffer for interfaces

 

JunOS is so linux based, that you will find a lot of things like that in it.  
Shell under the hood and see various other things

 

The mx204 has some strange 1 gig option for 10 gig interfaces… which are still 
referred to as xe-?/?/? even when operating in 1 gig…

 

 

-Aaron

 

 

 

From: NANOG  On Behalf Of Forrest 
Christian (List Account)
Sent: Thursday, October 8, 2020 4:38 AM
To: nanog list 
Subject: Juniper configuration recommendations/BCP

 



After nearly 30 years of being a cisco shop, I'm working on configuring our 
first pair of Juniper MX204's to replace our current provider-edge cisco. 

 

I've worked through enough of the Juniper documentation/books to have a fairly 
good handle on how to configure these, but I wanted to check with the list to 
see if there are any Juniper-Specific gotchas I might run into that isn't 
documented well.  

 

I've done a bit of googling and am either finding stuff that is largely 
Cisco-specific or which is generic - all of which I'm rather familiar with 
based on my past history.   Is there anything I should worry about which is 
Juniper-specific?

 

-- 

- Forrest

RE: Juniper configuration recommendations/BCP

2020-10-08 Thread aaron1 
I just remembered another one I use the heck out of….

 

Show whateverwhatever | refresh 1

 

Love it

 

Or refresh 30 (whatever time you want)

 

It’s so nice to be able to take hands off keyboard and know exactly when 
something changes in that show command…. Piping to “refresh” and a timer will 
redo that command over and over again

 

Another one is the ability to stop and restart processes, which wasn’t as 
possibly in Classic IOS (perhaps more in XE and was possible in XR), but I was 
pleased with the ability to do this in JunOS

 

There have been a few occasions when the JTAC has had me restart a jdhcpd 
process or fxp0 process or whatever during bug-hits as a quick way of freeing 
up the pegged CPU or leaked out memory, until a JunOS upgrade perm fix could be 
accomplished.

 

Oh, show log interactive – really cool, it’s like having your own local aaa 
(tacacs) accounting log… right there on the box a built in log file showing 
every command that was typed be everyone!

 

Forgive me if I continue sending emails as I recall nice things I’ve learned 
over the last few years during my conversion from cisco to juniper

 

IOS is nice

IOS-XE is nicer (I guess, lol)

IOX-XR is great

JunOS is greater I think – seems that there is just more you can do in JunOS 
than XR… and JunOS capabilities are across many of Junipers products… XR is a 
bit limited to certain platforms (although growing with more NCS products, 
first 5x00, not 540)

 

-Aaron

RE: Juniper configuration recommendations/BCP

2020-10-08 Thread aaron1 
Typos, sorry…

 

Meant …fxpc process…

 

Meant …now 540

Re: Juniper configuration recommendations/BCP

2020-10-08 Thread Chris Boyd 



> On Oct 8, 2020, at 10:55 AM,   wrote:
> 
> JunOS is so linux based

Um, my MX-204 says FreeBSD amd64.

Re: Juniper configuration recommendations/BCP

2020-10-08 Thread Forrest Christian (List Account) 
I will say that so far I'm finding JunOS and the Juniper documentation to
be a welcome change.   In my other life I write networking/IoT code and
have done my fair share of unix (linux, freebsd, sunos, etc.)
administration over the years.  As a result, JunOS is feeling more natural
than some devices I've configured over the years.   Right now, It's just a
matter of learning where all the stones one has to turn over to make it
work well are...

Thanks to everyone for the answers so far.   It will take a bit for me to
dig through and process them..  I can also see that there are definitely
some gems I didn't know about.

On Thu, Oct 8, 2020 at 9:53 AM Paschal Masha  wrote:

> Above all, JUNOS makes sense when configuring, you literally the software
> gives you the feel of talking to the device. If your brain is programmed to
> be logically then all pieces and modes easily come to life and adaptation
> becomes a zero hustle.
>
>
>
> *Paschal Masha*
> Lead Network Engineer
> 6x7 Networks | 1 (831)325-0544
> Time Zone: PST
>
>
> On Thu, Oct 8, 2020 at 6:44 PM Justin Oeder  wrote:
>
>> If you are an OSPF shop, Cisco AD is 110 for internal and external
>> routes.  Juniper is 10 for internal and 150 for external.  This can be
>> changed via an export (maybe import) policy on the OSPF protocol.
>>
>> There is no 'network' statement in the Junos world.  There are a few
>> different ways to solve this same problem.  Up to you how you do it.
>>
>> Routing engine protection is much easier.  A firewall filter on the
>> loopback interface.  Here is a sample.  This is really where your BCP
>> starts.
>>
>> https://github.com/jcoeder/juniper-configurations/blob/master/protect-re.txt
>>
>> Dynamic prefix-lists are pretty cool.  They allow you to create prefix-
>> list based on other sections of the configuration.
>>
>> # In this first statement we use wildcards surrounding a . as this is
>> the format of an IPv4 address.
>> set policy-options prefix-list BGP_PEERS_DYNAMIC apply-path "protocols
>> bgp group <*> neighbor <*.*>"
>>
>> # In this second statement we use wildcards surrounding a : as this is
>> the format of an IPv6 address.
>> set policy-options prefix-list BGP_PEERS_DYNAMIC_V6 apply-path
>> "protocols bgp group <*> neighbor <*:*>"
>>
>> Justin
>>
>> On Thu, 2020-10-08 at 03:37 -0600, Forrest Christian (List Account)
>> wrote:
>> > 
>> > After nearly 30 years of being a cisco shop, I'm working on
>> > configuring our first pair of Juniper MX204's to replace our current
>> > provider-edge cisco.
>> >
>> > I've worked through enough of the Juniper documentation/books to have
>> > a fairly good handle on how to configure these, but I wanted to check
>> > with the list to see if there are any Juniper-Specific gotchas I
>> > might run into that isn't documented well.
>> >
>> > I've done a bit of googling and am either finding stuff that is
>> > largely Cisco-specific or which is generic - all of which I'm
>> > rather familiar with based on my past history.   Is there anything I
>> > should worry about which is Juniper-specific?
>> >
>> > --
>> > - Forrest
>>
>>

-- 
- Forrest

Re: Juniper configuration recommendations/BCP

2020-10-08 Thread Matt Harris 

Matt Harris|Infrastructure Lead Engineer
816-256-5446|Direct
Looking for something?
Helpdesk Portal|Email Support|Billing Portal
We build and deliver end-to-end IT solutions.
On Thu, Oct 8, 2020 at 5:51 PM Chris Boyd  wrote:

>
>
> > On Oct 8, 2020, at 10:55 AM,   wrote:
> >
> > JunOS is so linux based
>
> Um, my MX-204 says FreeBSD amd64.
>

Junos has always had a large basis coming from FreeBSD way back when.

There's no Linux going on in Junos itself as far as I know, however Juniper
does utilize Wind River Linux as an intermediary virtualization step for
some of their virtualized products like the vSRX.

Re: Juniper configuration recommendations/BCP

2020-10-08 Thread Ryan Hamel 
There is linux happening in some devices.

https://www.juniper.net/documentation/en_US/junos/topics/concept/evo-overview.html

Ryan

On Thu, Oct 8, 2020, 4:16 PM Matt Harris  wrote:

> Matt Harris​
> | Infrastructure Lead Engineer
> 816‑256‑5446
> | Direct
> Looking for something?
> *Helpdesk Portal* 
> | *Email Support* 
> | *Billing Portal* 
> We build and deliver end‑to‑end IT solutions.
> On Thu, Oct 8, 2020 at 5:51 PM Chris Boyd  wrote:
>
>>
>>
>> > On Oct 8, 2020, at 10:55 AM,   wrote:
>> >
>> > JunOS is so linux based
>>
>> Um, my MX-204 says FreeBSD amd64.
>>
>
> Junos has always had a large basis coming from FreeBSD way back when.
>
> There's no Linux going on in Junos itself as far as I know, however
> Juniper does utilize Wind River Linux as an intermediary virtualization
> step for some of their virtualized products like the vSRX.
>
>

Re: Juniper configuration recommendations/BCP

2020-10-08 Thread Chris Adams 
Once upon a time, Matt Harris  said:
> There's no Linux going on in Junos itself as far as I know, however Juniper
> does utilize Wind River Linux as an intermediary virtualization step for
> some of their virtualized products like the vSRX.

Most (if not all) of the current routing engines run the FreeBSD-based
Junos in a VM on a Linux hypervisor.  There's also Junos Evolved, which
is Junos ported over to a Linux-based system instead of FreeBSD (among
other architectual changes).

-- 
Chris Adams

RE: Juniper configuration recommendations/BCP

2020-10-08 Thread aaron1 
Right, it's been freebsd forever as I understand it, but I thought there had
been some more recent involvement with linux, which is why I said that.  I'm
not an authority on it though.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/vm-host-o
verview.html

-Aaron