Juniper Junos tagged port or trunk configuration

root# show | display set
set version 11.3R1.7
set system root-authentication encrypted-password “$1$p2OTFo8/$LG/0iTcF.LRyxX.vyXIpE0”
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces ge-0/0/0 unit 0 family ethernet-switching
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 10
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan10
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan20
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 20
set interfaces ge-0/0/3 unit 0 family ethernet-switching
set interfaces ge-0/0/4 unit 0 family ethernet-switching
set interfaces ge-0/0/5 unit 0 family ethernet-switching
set interfaces ge-0/0/6 unit 0 family ethernet-switching
set interfaces ge-0/0/7 unit 0 family ethernet-switching
set interfaces ge-0/0/8 unit 0 family ethernet-switching
set interfaces ge-0/0/9 unit 0 family ethernet-switching
set interfaces ge-0/0/10 unit 0 family ethernet-switching
set interfaces ge-0/0/11 unit 0 family ethernet-switching
set interfaces ge-0/1/0 unit 0 family ethernet-switching
set interfaces ge-0/1/1 unit 0 family ethernet-switching
set interfaces me0 unit 0 family inet
set interfaces vlan unit 0 family inet
set interfaces vlan unit 10 family inet address 10.10.10.200/24
set interfaces vlan unit 20 family inet address 20.20.20.200/24
set protocols igmp-snooping vlan all
set protocols vstp vlan vlan10
set protocols vstp vlan vlan20
set protocols lldp interface all
set protocols lldp-med interface all
set ethernet-switching-options storm-control interface all
set vlans default l3-interface vlan.0
set vlans vlan10 vlan-id 10
set vlans vlan10 l3-interface vlan.10
set vlans vlan20 vlan-id 20
set vlans vlan20 l3-interface vlan.20

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB11013&cat=EX_SERIES&actp=LIST&showDraft=false

ZBFW example with router as DNS server

hostname R1
!
ip name-server 23.23.23.3
!
interface FastEthernet0/0
ip address 12.12.12.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 12.12.12.2

hostname R2
!
ip name-server 23.23.23.3
ip inspect log drop-pkt
!
class-map type inspect match-all CM_DNS
match protocol dns
class-map type inspect match-all WEB_to_www.garry.com
match access-group name WWW.GARRY.COM
match protocol http
class-map type inspect match-all CM_ICMP
match protocol icmp
class-map type inspect match-all CM_HTTP
match protocol http
class-map type inspect match-all CM_TELNET
match protocol telnet
!
policy-map type inspect PM_INSIDE2OUTSIDE
class type inspect CM_DNS
inspect
class type inspect WEB_to_www.garry.com
inspect
class class-default
drop
policy-map type inspect PM_OUTSIDE2INSIDE
class class-default
drop
!
zone security ZONE_OUTSIDE
zone security ZONE_INSIDE
zone-pair security ZP_INSIDE2OUTSIDE source ZONE_INSIDE destination ZONE_OUTSIDE
service-policy type inspect PM_INSIDE2OUTSIDE
zone-pair security ZP_OUTSIDE2INSIDE source ZONE_OUTSIDE destination ZONE_INSIDE
service-policy type inspect PM_OUTSIDE2INSIDE
!
interface FastEthernet0/0
ip address 12.12.12.2 255.255.255.0
zone-member security ZONE_INSIDE
!
interface FastEthernet0/1
ip address 23.23.23.2 255.255.255.0
zone-member security ZONE_OUTSIDE
!
ip access-list extended WWW.GARRY.COM
permit ip any host 23.23.23.3

hostname R3
ip host http://www.garry.com 23.23.23.3
!
interface FastEthernet0/1
ip address 23.23.23.3 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 23.23.23.2
!
!
ip http server
no ip http secure-server
ip dns server
ip dns primary garry.com soa R3 garry@garry.com 21600 900 7776000 86400

gnome blogger test

test of gnome blogger

NEXUS training

http://dipnut.com/nexus/

PPPoE configuration and notes

here is my default config for PPPoE between R6 and R7 back to back over ethernet interface F0/1

NOTES: need to set mtu on int dialer1 (client side) to match 1492 of interface Virtual-Template1 (server side) or in the case of OSPF set mtu ignore on interfaces
NOTES: key that is not in documentation is to set ‘encapsulation ppp’ on dialer interface on client side
NOTES: IP address can be assinged with IPCP local pool, or DHCP pool just have to create local pool or dhcp pool on server side
NOTES: also can use standard PPP CHAP/PAP authentication on PPPoE link as well

Cisco DOCCD link

Cisco Support Forms link

R7:
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
encapsulation ppp
ip ospf mtu-ignore
dialer pool 1
dialer-group 1

R6:
bba-group pppoe global
virtual-template 1
!
interface Loopback67
ip address 67.6.7.6 255.255.255.0
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
!
interface Virtual-Template1
ip unnumbered Loopback67
peer default ip address pool R7
ip ospf mtu-ignore

!
ip local pool R7 67.6.7.7

PPP over Frame-Relay with PPP multilink

PPP over Frame-Relay with PPP multilink

Two ways to configure this setup, examples show each way in these configurations to do it, one side using MULTILINK interface and the other side using Virtual-Template interface:

hostname CE1-OSPF
!
ip cef
!
multilink bundle-name authenticated
!
interface Multilink1
ip address 10.1.215.1 255.255.255.0
ppp multilink
ppp multilink interleave
ppp multilink group 1
ppp multilink fragment delay 10
!
interface Serial0/0.1 point-to-point
snmp trap link-status
frame-relay class FRTS
frame-relay interface-dlci 102 ppp Virtual-Template1
!
interface Serial0/0.2 point-to-point
snmp trap link-status
frame-relay interface-dlci 103 ppp Virtual-Template1
!
interface Virtual-Template1
no ip address
ppp multilink
ppp multilink group 1
!
router ospf 11
router-id 1.1.1.1
log-adjacency-changes
redistribute connected subnets
network 10.1.12.1 0.0.0.0 area 0
network 10.1.21.1 0.0.0.0 area 0
network 10.1.215.1 0.0.0.0 area 0
!
map-class frame-relay FRTS
frame-relay cir 64000
frame-relay bc 80000
!
end

hostname CE2-OSPF
!
multilink bundle-name authenticated
!
interface Serial0/0
no ip address
encapsulation frame-relay
clock rate 2000000
!
interface Serial0/0.1 point-to-point
snmp trap link-status
frame-relay interface-dlci 201 ppp Virtual-Template1
!
interface Serial0/0.2 point-to-point
snmp trap link-status
frame-relay interface-dlci 301 ppp Virtual-Template1
!
interface Virtual-Template1
ip address 10.1.215.5 255.255.255.0
ppp multilink
ppp multilink interleave
ppp multilink fragment delay 10
!
router ospf 11
router-id 5.5.5.5
log-adjacency-changes
redistribute connected subnets
network 10.1.21.5 0.0.0.0 area 0
network 10.1.45.5 0.0.0.0 area 0
network 10.1.215.5 0.0.0.0 area 0
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
end

MPLS VPN EIGRP vs OSPF

EIGRP uses the BGP cost community during redistribution on the PE router of the CE routes and the idea of POI (point of insertion) and automaticlly creates the ‘super backbone’ for EIGRP to use the Provider link over the backdoor links

OSPF use the SHAM link inside the VRF to create ‘super backbone’ area 0 over the Provdier network to change the link over the Provider to an IntraArea link instead of and InterArea link… And the shamlink sets the cost to a value lower than the backdoor link cost

MPLS and EIGRP (from INE.com blog)

http://blog.ine.com/2010/07/19/mpls-and-eigrp-going-the-distance-admin-distance/comment-page-1/#comment-122111

and my comment:

This was really good, i had only done this type of lab before with OSPF and sham links, it took me some digging but pretty sure this is the answer:

BGP Cost Community Support for EIGRP MPLS VPN PE-CE with Backdoor Links The “pre-bestpath” point of insertion (POI) is applied automatically to EIGRP routes that are redistributed into BGP. The “pre-best path” POI carries the EIGRP route type and metric. This POI influences the best path calculation process by influencing BGP to consider this POI before any other comparison step. No configuration is required. This feature is enabled automatically for EIGRP VPN sites when Cisco IOS Release 12.0(27)S is installed to a PE, CE, or back door router.

http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/guide/irg_cost_comm_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1054113

I was also able to turn this ‘on/off’ with bgp bestpath cost-community ignore

And also by making the metric extremly worse on R4 f0/1 ; R2 will choose the path through R1 to get to 5.5.5.0

R2#sh ip route vrf v 5.5.5.0
Routing entry for 5.5.5.0/24
Known via “bgp 234″, distance 200, metric 409600, type internal
Redistributing via eigrp 1
Advertised by eigrp 1 metric 1 10000 1 1 1
bgp 234 (self originated)
Last update from 4.4.4.4 00:16:30 ago
Routing Descriptor Blocks:
* 4.4.4.4 (Default-IP-Routing-Table), from 4.4.4.4, 00:16:30 ago
Route metric is 409600, traffic share count is 1
AS Hops 0

R4(config)#int f0/1
R4(config-if)#delay 16777215

R2#sh ip route vrf v 5.5.5.0
Routing entry for 5.5.5.0/24
Known via “eigrp 1″, distance 90, metric 2323456, type internal
Redistributing via eigrp 1, bgp 234
Advertised by bgp 234
Last update from 10.1.12.1 on FastEthernet0/0, 00:00:01 ago
Routing Descriptor Blocks:
* 10.1.12.1, from 10.1.12.1, 00:00:01 ago, via FastEthernet0/0
Route metric is 2323456, traffic share count is 1
Total delay is 26000 microseconds, minimum bandwidth is 1544 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 2

ip unnumbered

using ip unnumbered has differences

use ip unnumbered on Point-to-Point

EIGRP – does a check for same subnet based on the interface being configured for ip address or ip unnumbered(thus point to point)
OSPF – sends the netmask as 0.0.0.0

SHAPE/POLICE rate limit 3560 on input and output

SHAPE/POLICE rate limit 3560 on input and output

Two ways to look at limiting bandwidth, INPUT use policy_map to the switch, OUTPUT use srr-queue shaped mode to limit traffic egress or out of the switch, have to think in respect to the egress meaning out of the physical switch port and ingress being into the switch-ring internals of the switch…

interface GigabitEthernet0/2
switchport access vlan 100
speed 10
srr-queue bandwidth limit 10  rate limit/shape on OUTPUT

interface GigabitEthernet0/2
switchport access vlan 100
speed 10
service-policy input ICMP_PM  rate limit/police on INPUT

class-map match-all ICMP_CM
match access-group name ICMP
!
policy-map ICMP_PM
class ICMP_CM
police 8000 8000 exceed-action drop
!
ip access-list extended ICMP
permit ip any any