Professional Documents
Culture Documents
12.a
Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has
no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an
agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and
agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper
Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should
consult the software license for further details.
Contents
Lab 1:
Lab 2:
Lab 3:
Lab 4:
www.juniper.net
Contents iii
iv Contents
www.juniper.net
Course Overview
This one-day course provides students with foundational routing knowledge and configuration
examples and includes an overview of general routing concepts, routing policy, and firewall filters.
Through demonstrations and hands-on labs, you will gain experience in configuring and monitoring
the Junos operating system and monitoring basic device operations. This course uses Juniper
Networks SRX Series Services Gateways for the hands-on component, but the lab environment
does not preclude the course from being applicable to other Juniper hardware platforms running
the Junos operating system. This course is based on Junos OS Release 12.1R1.9.
Objectives
After successfully completing this course, you should be able to:
Describe the operation and configuration for unicast reverse path forwarding (RPF).
Intended Audience
This course benefits individuals responsible for configuring and monitoring devices running the
Junos OS.
Course Level
The Junos Routing Essentials course is a one-day introductory course.
Prerequisites
Students should have basic networking knowledge and an understanding of the Open Systems
Interconnection (OSI) reference model and the TCP/IP protocol suite. Students should also attend
the Introduction to the Junos Operating System (IJOS) course prior to attending this class.
www.juniper.net
Course Overview v
Course Agenda
Day 1
Chapter 1:
Course Introduction
Chapter 2:
Routing Fundamentals
Lab 1: Routing Fundamentals
Chapter 3:
Routing Policy
Lab 2: Routing Policy
Chapter 4:
Firewall Filters
Lab 3: Firewall Filters
vi Course Agenda
www.juniper.net
Document Conventions
CLI and GUI Text
Frequently throughout this course, we refer to text that appears in a command-line interface (CLI)
or a graphical user interface (GUI). To make the language of these documents easier to read, we
distinguish GUI and CLI text from chapter text according to the following table.
Style
Description
Usage Example
Franklin Gothic
Normal text.
Courier New
Console text:
Screen captures
Noncommand-related
syntax
commit complete
Exiting configuration mode
Select File > Open, and then click
Configuration.conf in the
Filename text box.
Description
Usage Example
Normal CLI
No distinguishing variant.
Physical interface:fxp0,
Enabled
Normal GUI
CLI Input
GUI Input
Description
Usage Example
CLI Variable
policy my-peers
GUI Variable
www.juniper.net
Additional Information
Education Services Offerings
You can obtain information on the latest Education Services offerings, course dates, and class
locations from the World Wide Web by pointing your Web browser to:
http://www.juniper.net/training/education/.
Technical Publications
You can print technical manuals and release notes directly from the Internet in a variety of formats:
Go to http://www.juniper.net/techpubs/.
Locate the specific software or hardware release and title you need, and choose the
format in which you want to view or print the document.
Documentation sets and CDs are available through your local Juniper Networks sales office or
account representative.
www.juniper.net
Lab 1
Routing Fundamentals (Detailed)
Overview
This lab demonstrates configuration and monitoring of Layer 3 routing on devices running
the Junos operating system. In this lab, you use the command-line interface (CLI) to
configure and monitor interfaces, static routing, and basic OSPF. Throughout these
configuration tasks, you will become familiar with and describe the contents of the routing
and forwarding tables.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
www.juniper.net
www.juniper.net
Step 1.3
Log in to the student device with the username lab using a password of lab123.
Note that both the name and password are case-sensitive. Issue the configure
command to enter configuration mode and load the reset configuration file using
the load override /var/home/lab/jre/lab1-start.config
command. After the configuration has been loaded, commit the changes and return
to operational mode using the commit and-quit command.
srxA-1 (ttyp0)
login: lab
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
lab@srxA-1> configure
Entering configuration mode
[edit]
lab@srxA-1# load override jre/lab1-start.config
load complete
[edit]
lab@srxA-1# commit and-quit
commit complete
Exiting configuration mode
lab@srxA-1>
Step 1.4
Issue the show route command to display the contents of the route table.
lab@srxA-1> show route
inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.210.14.128/27
10.210.14.131/32
*[Direct/0] 23:39:24
> via ge-0/0/0.0
*[Local/0] 23:39:31
Local via ge-0/0/0.0
*[Direct/0] 00:07:26
> via ge-0/0/0.0
*[Local/0] 00:07:40
Local via ge-0/0/0.0
128.0.0.1/32
128.0.0.4/32
128.0.0.6/32
128.0.1.16/32
*[Direct/0] 00:08:16
> via lo0.16385
*[Local/0] 00:07:39
Local via sp-0/0/0.16383
*[Direct/0] 00:08:16
> via lo0.16385
[Direct/0] 00:07:33
> via sp-0/0/0.16383
*[Direct/0] 00:08:16
> via lo0.16385
*[Direct/0] 00:08:16
> via lo0.16385
*[Local/0] 00:07:39
Local via sp-0/0/0.16383
*[Direct/0] 00:08:16
> via lo0.16385
[Direct/0] 00:07:33
> via sp-0/0/0.16383
[Direct/0] 00:08:16
> via lo0.16384
www.juniper.net
Step 1.5
Enter configuration mode and navigate to the [edit interfaces] hierarchy
level.
lab@srxA-1> configure
Entering configuration mode
[edit]
lab@srxA-1# edit interfaces
[edit interfaces]
lab@srxA-1#
Step 1.6
Refer to the network diagram and configure the interfaces for your assigned device.
Use the VLAN-ID as the logical unit value for the tagged interface. Use logical unit 0
for all other interfaces. Remember to configure the loopback interface!
[edit interfaces]
lab@srxA-1# set lo0 unit 0 family inet address address/32
[edit interfaces]
lab@srxA-1# set ge-0/0/3 unit 0 family inet address address/30
[edit interfaces]
lab@srxA-1# set ge-0/0/2 unit 0 family inet address address/30
[edit interfaces]
lab@srxA-1# set ge-0/0/1 unit 0 family inet address address/30
[edit interfaces]
lab@srxA-1# set ge-0/0/4 vlan-tagging
[edit interfaces]
lab@srxA-1# set ge-0/0/4 unit vlan-id vlan-id vlan-id
[edit interfaces]
lab@srxA-1# set ge-0/0/4 unit vlan-id family inet address address/24
Step 1.7
Display the interface configuration and ensure that it matches the details outlined
on the network diagram for this lab. When you are comfortable with the interface
configuration, issue the commit-and-quit command to activate the
configuration and return to operational mode.
[edit interfaces]
lab@srxA-1# show
ge-0/0/0 {
description "MGMT Interface - DO NOT DELETE";
unit 0 {
family inet {
address 10.210.14.131/27;
}
}
www.juniper.net
}
ge-0/0/1 {
unit 0 {
family inet {
address 172.20.77.1/30;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 172.20.66.1/30;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 172.18.1.2/30;
}
}
}
ge-0/0/4 {
vlan-tagging;
unit 101 {
vlan-id 101;
family inet {
address 172.20.101.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.1.1/32;
}
}
}
[edit interfaces]
lab@srxA-1# commit and-quit
commit complete
Exiting configuration mode
lab@srxA-1>
Step 1.8
Issue the show interfaces terse command to verify the current state of the
recently configured interfaces.
lab@srxA-1> show interfaces terse
Interface
Admin Link Proto
ge-0/0/0
up
up
ge-0/0/0.0
up
up
inet
gr-0/0/0
up
up
Lab 16 Routing Fundamentals (Detailed)
Local
Remote
10.210.14.131/27
www.juniper.net
ip-0/0/0
lsq-0/0/0
lt-0/0/0
mt-0/0/0
pd-0/0/0
pe-0/0/0
ge-0/0/1
ge-0/0/1.0
ge-0/0/2
ge-0/0/2.0
ge-0/0/3
ge-0/0/3.0
ge-0/0/4
ge-0/0/4.101
ge-0/0/4.32767
ge-0/0/5
ge-0/0/6
ge-0/0/7
ge-0/0/8
ge-0/0/9
ge-0/0/10
ge-0/0/11
ge-0/0/12
ge-0/0/13
ge-0/0/14
ge-0/0/15
gre
ipip
lo0
lo0.0
lo0.16384
lo0.16385
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
down
down
down
down
down
down
down
down
down
down
down
up
up
up
up
up
up
lo0.32768
lsi
mtun
pimd
pime
pp0
st0
tap
vlan
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
up
inet
172.20.77.1/30
inet
172.20.66.1/30
inet
172.18.1.2/30
inet
172.20.101.1/24
inet
inet
inet
192.168.1.1
--> 0/0
127.0.0.1
--> 0/0
10.0.0.1
--> 0/0
10.0.0.16
--> 0/0
128.0.0.1
--> 0/0
128.0.1.16
--> 0/0
fe80::226:88ff:fe02:6700
inet6
www.juniper.net
*[Direct/0] 02:17:46
> via ge-0/0/0.0
*[Local/0] 02:17:50
Local via ge-0/0/0.0
*[Direct/0] 00:02:03
> via ge-0/0/3.0
*[Local/0] 00:02:03
Local via ge-0/0/3.0
*[Direct/0] 00:02:03
> via ge-0/0/2.0
*[Local/0] 00:02:03
Local via ge-0/0/2.0
*[Direct/0] 00:02:03
> via ge-0/0/1.0
*[Local/0] 00:02:03
Local via ge-0/0/1.0
*[Direct/0] 00:02:03
> via ge-0/0/4.101
*[Local/0] 00:02:03
Local via ge-0/0/4.101
*[Direct/0] 00:02:03
> via lo0.0
www.juniper.net
STOP
Before continuing, ensure that the remote team in your pod is ready to
proceed.
Step 2.2
Attempt to ping the Internet host referenced on the network diagram for this lab.
Note
www.juniper.net
Step 2.4
Issue the run show route 172.31.15.1 command.
[edit routing-options]
lab@srxA-1# run show route 172.31.15.1
inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
www.juniper.net
*[Static/5] 00:00:23
> to 172.18.1.1 via ge-0/0/3.0
www.juniper.net
Step 2.7
Define the required static routes to allow end-to-end connectivity to the remote
teams subnet and loopback addresses. Use the IP address assigned to the remote
student device on the 172.20.66.0/30 subnet as the next hop for these static
routes.
[edit routing-options]
lab@srxA-1# set static route address/32 next-hop address
[edit routing-options]
lab@srxA-1# set static route address/32 next-hop address
[edit routing-options]
lab@srxA-1# set static route address/24 next-hop address
[edit routing-options]
lab@srxA-1# show
static {
route 0.0.0.0/0 next-hop 172.18.1.1;
route 192.168.1.2/32 next-hop 172.20.101.10;
route 192.168.2.1/32 next-hop 172.20.66.2;
route 192.168.2.2/32 next-hop 172.20.66.2;
route 172.20.102.0/24 next-hop 172.20.66.2;
}
Step 2.8
Use the IP address assigned to the remote student device on the 172.20.77.0/30
subnet as a qualified next hop for the recently added static routes to the remote
subnet and loopback addresses. Use a route preference of 6 for these definitions.
View the configuration, and when satisfied commit your configuration and return to
operational mode.
[edit routing-options]
lab@srxA-1# set static route address/32 qualified-next-hop address preference 6
www.juniper.net
[edit routing-options]
lab@srxA-1# set static route address/32 qualified-next-hop address preference 6
[edit routing-options]
lab@srxA-1# set static route address/24 qualified-next-hop address preference 6
[edit routing-options]
lab@srxA-1# show
static {
route 0.0.0.0/0 next-hop 172.18.1.1;
route 192.168.1.2/32 next-hop 172.20.101.10;
route 192.168.2.1/32 {
next-hop 172.20.66.2;
qualified-next-hop 172.20.77.2 {
preference 6;
}
}
route 192.168.2.2/32 {
next-hop 172.20.66.2;
qualified-next-hop 172.20.77.2 {
preference 6;
}
}
route 172.20.102.0/24 {
next-hop 172.20.66.2;
qualified-next-hop 172.20.77.2 {
preference 6;
}
}
}
[edit routing-options]
lab@srxA-1# commit and-quit
commit complete
Exiting configuration mode
lab@srxA-1>
Step 2.9
Issue the show route protocol static command to view the current static
routes in your devices route table.
lab@srxA-1> show route protocol static
inet.0: 16 destinations, 19 routes (16 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
172.20.102.0/24
192.168.1.2/32
*[Static/5] 00:11:06
> to 172.18.1.1 via ge-0/0/3.0
*[Static/5] 00:00:44
> to 172.20.66.2 via ge-0/0/2.0
[Static/6] 00:00:44
> to 172.20.77.2 via ge-0/0/1.0
*[Static/5] 00:00:44
www.juniper.net
192.168.2.1/32
192.168.2.2/32
STOP
Notify your instructor that you have finished Part 2. Before proceeding,
ensure that the remote team within your pod is ready to continue on to
Part 3.
www.juniper.net
Step 3.2
Navigate to the [edit protocols ospf] hierarchy level and define OSPF
Area 0 and include all internal interfaces that connect to the remote teams device
and the directly connected virtual router. Ensure that you also include the
lo0 interface. Issue the show command to view the resulting configuration.
Note
www.juniper.net
Step 3.3
Activate the candidate configuration using the commit command. Issue the run
show ospf neighbor command to verify OSPF neighbor adjacency state
information.
Note
State
Full
Full
Full
ID
192.168.2.1
192.168.2.1
192.168.1.2
Pri
128
128
128
Dead
37
37
39
www.juniper.net
192.168.2.2/32
224.0.0.5/32
www.juniper.net
[edit routing-options]
lab@srxA-1# delete static route address/32
[edit routing-options]
lab@srxA-1# delete static route address/32
[edit routing-options]
lab@srxA-1# delete static route address/32
[edit routing-options]
lab@srxA-1# delete static route address/24
[edit routing-options]
lab@srxA-1# show
static {
route 0.0.0.0/0 next-hop 172.18.1.1;
}
Step 3.6
Activate the configuration and return to operational mode. Issue the
show route protocol ospf command to verify that the OSPF routes are now
active.
[edit routing-options]
lab@srxA-1# commit and-quit
commit complete
Exiting configuration mode
lab@srxA-1> show route protocol ospf
inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
172.20.102.0/24
192.168.1.2/32
192.168.2.1/32
192.168.2.2/32
224.0.0.5/32
lab@srxA-1>
www.juniper.net
www.juniper.net
STOP
www.juniper.net
Lab 2
Routing Policy (Detailed)
Overview
This lab demonstrates configuration and monitoring of routing policy on devices running
the Junos operating system. In this lab, you use the command-line interface (CLI) to
define, apply, and monitor basic routing policy.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
www.juniper.net
Step 1.3
Log in to the student device with the username lab using a password of lab123.
Note that both the name and password are case-sensitive. Enter configuration mode
and load the reset configuration file using the load override /var/home/
lab/jre/lab2-start.config command. After the configuration has been
loaded, commit the changes.
srxA-1 (ttyp0)
login: lab
Password:
Lab 22 Routing Policy (Detailed)
www.juniper.net
Step 1.4
Navigate to the [edit protocols ospf] hierarchy level, delete the tagged
interface from the OSPF configuration and activate the configuration change. If
needed, refer to the network diagram for this lab to identify the tagged interface.
[edit]
lab@srxA-1# edit protocols ospf
[edit protocols ospf]
lab@srxA-1# show
area 0.0.0.0 {
interface ge-0/0/1.0;
interface ge-0/0/2.0;
interface ge-0/0/4.101;
interface lo0.0;
}
[edit protocols ospf]
lab@srxA-1# delete area 0 interface ge-0/0/4.vlan-id
[edit protocols ospf]
lab@srxA-1# commit
commit complete
Step 1.5
Navigate to the [edit routing-options] hierarchy level. Define a static route
for each of the three subnets connected to the virtual router attached to your teams
device. Use the local virtual router as the next-hop. Refer to the network diagram for
the destination subnet and next-hop information.
[edit protocols ospf]
lab@srxA-1# top edit routing-options
[edit routing-options]
lab@srxA-1# set static route address/24 next-hop address
[edit routing-options]
lab@srxA-1# set static route address/24 next-hop address
www.juniper.net
[edit routing-options]
lab@srxA-1# set static route address/24 next-hop address
[edit routing-options]
lab@srxA-1#
Step 1.6
Issue the show command to display the resulting configuration. Once satisfied with
your configuration, activate the changes and return to operational mode using the
commit and-quit command.
[edit routing-options]
lab@srxA-1# show
static {
route 0.0.0.0/0 next-hop 172.18.1.1;
route 172.21.0.0/24 next-hop 172.20.101.10;
route 172.21.1.0/24 next-hop 172.20.101.10;
route 172.21.2.0/24 next-hop 172.20.101.10;
}
[edit routing-options]
lab@srxA-1# commit and-quit
commit complete
Exiting configuration mode
lab@srxA-1>
Step 1.7
Issue the show route protocol static command to display the current
static route entries.
lab@srxA-1> show route protocol static
inet.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
172.21.0.0/24
172.21.1.0/24
172.21.2.0/24
*[Static/5] 01:30:15
> to 172.18.1.1 via ge-0/0/3.0
*[Static/5] 00:00:21
> to 172.20.101.10 via ge-0/0/4.101
*[Static/5] 00:00:21
> to 172.20.101.10 via ge-0/0/4.101
*[Static/5] 00:00:21
> to 172.20.101.10 via ge-0/0/4.101
www.juniper.net
Step 1.8
Use the ping utility to verify reachability to the subnets connected to the local
virtual router.
lab@srxA-1> ping address rapid count 25
PING 172.21.0.1 (172.21.0.1): 56 data bytes
!!!!!!!!!!!!!!!!!!!!!!!!!
--- 172.21.0.1 ping statistics --25 packets transmitted, 25 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.613/5.812/31.180/5.299 ms
lab@srxA-1> ping address rapid count 25
PING 172.21.1.1 (172.21.1.1): 56 data bytes
!!!!!!!!!!!!!!!!!!!!!!!!!
--- 172.21.1.1 ping statistics --25 packets transmitted, 25 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.504/4.687/7.793/1.222 ms
lab@srxA-1> ping address rapid count 25
PING 172.21.2.1 (172.21.2.1): 56 data bytes
!!!!!!!!!!!!!!!!!!!!!!!!!
--- 172.21.2.1 ping statistics --25 packets transmitted, 25 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.704/6.512/55.396/10.040 ms
www.juniper.net
State
Full
Full
ID
192.168.2.1
192.168.2.1
Pri
128
128
Dead
39
32
STOP
Wait for your instructor before you proceed to the next part.
Step 2.2
Navigate to the [edit policy-options] hierarchy level.Create a new policy
named default-route that matches and accepts the existing default static
route. Name the term match-default-static-route.
Lab 26 Routing Policy (Detailed)
www.juniper.net
[edit]
lab@srxA-1# edit policy-options
[edit policy-options]
lab@srxA-1# edit policy-statement default-route
[edit policy-options policy-statement default-route]
lab@srxA-1# set term match-default-static-route from protocol static
[edit policy-options policy-statement default-route]
lab@srxA-1# set term match-default-static-route from route-filter 0/0 exact
[edit policy-options policy-statement default-route]
lab@srxA-1# set term match-default-static-route then accept
[edit policy-options policy-statement default-route]
lab@srxA-1#
Step 2.3
Navigate to the [edit protocols ospf] hierarchy level and apply the recently
defined policy as an OSPF export policy. Activate the configuration change.
[edit policy-options policy-statement default-route]
lab@srxA-1# top edit protocols ospf
[edit protocols ospf]
lab@srxA-1# set export default-route
[edit protocols ospf]
lab@srxA-1# commit
commit complete
[edit protocols ospf]
lab@srxA-1#
Note
www.juniper.net
0.0.0.0/0
*[Static/5] 00:35:18
> to 172.18.1.1 via ge-0/0/3.0
[OSPF/150] 00:22:53, metric 0, tag 0
to 172.20.77.2 via ge-0/0/1.0
> to 172.20.66.2 via ge-0/0/2.0
www.juniper.net
[edit policy-options]
lab@srxA-1# edit policy-statement interface-routes
[edit policy-options policy-statement interface-routes]
lab@srxA-1# set term match-interface-routes from route-filter address/30 exact
[edit policy-options policy-statement interface-routes]
lab@srxA-1# set term match-interface-routes from route-filter address/24 exact
[edit policy-options policy-statement interface-routes]
lab@srxA-1# set term match-interface-routes then accept
[edit policy-options policy-statement interface-routes]
lab@srxA-1# show
term match-interface-routes {
from {
route-filter 172.18.1.0/30 exact;
route-filter 172.20.101.0/24 exact;
}
then accept;
}
[edit policy-options policy-statement interface-routes]
lab@srxA-1#
Step 2.6
Navigate to the [edit protocols ospf] hierarchy level and apply the
interface-routes policy as an OSPF export policy. Activate the configuration
change.
[edit policy-options policy-statement interface-routes]
lab@srxA-1# top edit protocols ospf
[edit protocols ospf]
lab@srxA-1# set export interface-routes
[edit protocols ospf]
lab@srxA-1# commit
commit complete
[edit protocols ospf]
lab@srxA-1#
Note
www.juniper.net
Step 2.7
Issue the run show route protocol ospf command. Verify that your device
shows the OSPF external routes associated with the interfaces of the remote
student device. Check with the remote team to ensure that they also see the proper
OSPF routes in their devices routing table.
[edit protocols ospf]
lab@srxA-1# run show route protocol ospf
inet.0: 19 destinations, 20 routes (19 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
172.18.2.0/30
172.20.102.0/24
192.168.2.1/32
224.0.0.5/32
www.juniper.net
Step 2.9
Navigate to the [edit protocols ospf] hierarchy level and apply the
other-static-routes policy as an OSPF export policy. Activate the
configuration change.
[edit policy-options policy-statement other-static-routes]
lab@srxA-1# top edit protocols ospf
[edit protocols ospf]
lab@srxA-1# set export other-static-routes
[edit protocols ospf]
lab@srxA-1# commit
commit complete
[edit protocols ospf]
lab@srxA-1#
Note
Step 2.10
Issue the run show route protocol ospf command. Verify that your device
shows the OSPF external routes associated with the static routes defined on the
remote student device. Check with the remote team to ensure that they also see the
proper OSPF routes in their devices routing table.
[edit protocols ospf]
lab@srxA-1# run show route protocol ospf
inet.0: 22 destinations, 23 routes (22 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
172.18.2.0/30
172.20.102.0/24
172.22.0.0/24
172.22.1.0/24
172.22.2.0/24
192.168.2.1/32
224.0.0.5/32
0
0
0
0
0
0
www.juniper.net
[edit policy-options]
lab@srxA-1# show
policy-statement default-route {
term match-default-static-route {
from {
protocol static;
route-filter 0.0.0.0/0 exact;
}
then accept;
}
}
policy-statement interface-routes {
term match-interface-routes {
from {
route-filter 172.18.1.0/30 exact;
route-filter 172.20.101.0/24 exact;
}
then accept;
}
}
policy-statement other-static-routes {
term match-other-static-routes {
from {
protocol static;
route-filter 172.21.0.0/24 exact;
route-filter 172.21.1.0/24 exact;
route-filter 172.21.2.0/24 exact;
}
then accept;
}
}
[edit policy-options]
lab@srxA-1#
Step 2.12
Use the existing policies as a guide. Create a new policy named ospf-export with
three distinct terms; match-default-route, match-interface-routes,
and match-other-static-routes. Ensure that the new ospf-export policy
accomplishes the same basic objectives as the three existing policies.
[edit policy-options]
lab@srxA-1# edit policy-statement ospf-export
[edit policy-options policy-statement ospf-export]
lab@srxA-1# set term match-default-static-route from protocol static
[edit policy-options policy-statement ospf-export]
lab@srxA-1# set term match-default-static-route from route-filter 0/0 exact
[edit policy-options policy-statement ospf-export]
lab@srxA-1# set term match-default-static-route then accept
[edit policy-options policy-statement ospf-export]
lab@srxA-1# set term match-interface-routes from route-filter address/30 exact
www.juniper.net
Step 2.13
Navigate to the [edit protocols ospf] hierarchy level and delete the applied
export policies.
[edit policy-options policy-statement ospf-export]
lab@srxA-1# top edit protocols ospf
[edit protocols ospf]
lab@srxA-1# delete export
[edit protocols ospf]
lab@srxA-1#
Step 2.14
Apply the ospf-export policy as an OSPF export policy and activate the changes
using the commit command.
[edit protocols ospf]
lab@srxA-1# set export ospf-export
[edit protocols ospf]
lab@srxA-1# commit
commit complete
www.juniper.net
0
0
0
0
0
0
Step 2.16
Return to the [edit policy-options] hierarchy level and delete the unused
routing policies. Activate the changes and return to operational mode using the
commit and-quit command.
[edit protocols ospf]
lab@srxA-1# top edit policy-options
[edit policy-options]
lab@srxA-1# delete policy-statement default-route
[edit policy-options]
lab@srxA-1# delete policy-statement interface-routes
[edit policy-options]
lab@srxA-1# delete policy-statement other-static-routes
[edit policy-options]
lab@srxA-1# commit and-quit
commit complete
Exiting configuration mode
lab@srxA-1>
Step 2.17
Log out of your assigned device using the exit command.
lab@srxA-1> exit
srxA-1 (ttyu0)
login:
STOP
www.juniper.net
Lab 3
Firewall Filters (Detailed)
Overview
This lab demonstrates configuration and monitoring of firewall filters on devices running
the Junos operating system. In this lab, you use the command-line interface (CLI) to
define, apply, and monitor firewall filters.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
www.juniper.net
Step 1.3
Log in to the student device with the username lab using a password of lab123.
Note that both the name and password are case-sensitive. Enter configuration mode
and load the reset configuration file using the load override /var/home/
lab/jre/lab3-start.config command. After the configuration has been
loaded, commit the changes.
Lab 32 Firewall Filters (Detailed)
www.juniper.net
srxA-1 (ttyp0)
login: lab
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
lab@srxA-1> configure
Entering configuration mode
[edit]
lab@srxA-1# load override jre/lab3-start.config
load complete
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
Step 1.4
Navigate to the [edit system services] hierarchy level. Issue the show
command to display the currently enabled services.
[edit]
lab@srxA-1# edit system services
[edit system services]
lab@srxA-1# show
ssh;
telnet;
web-management {
http {
interface ge-0/0/0.0;
}
https {
system-generated-certificate;
interface all;
}
}
[edit system services]
lab@srxA-1#
www.juniper.net
Step 1.5
Enable the ftp service and activate the configuration change using the commit
command.
[edit system services]
lab@srxA-1# set ftp
[edit system services]
lab@srxA-1# commit
commit complete
Note
www.juniper.net
Step 1.7
Log in to the virtual router attached to your teams device using the login information
shown in the following table:
Virtual Router Login Details
Student Device
Username
Password
srxA-1
a1
lab123
srxA-2
a2
lab123
srxB-1
b1
lab123
srxB-2
b2
lab123
srxC-1
c1
lab123
srxC-2
c2
lab123
srxD-1
d1
lab123
srxD-2
d2
lab123
vr-device (ttyp0)
login: username
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 11:28:05 UTC
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
You must use 'configure private' to configure this router.
a1@vr-device>
Step 1.8
Use the ping utility to verify reachability to your devices loopback address and the
Internet host. Refer to the network diagram associated with this lab as needed.
Note
www.juniper.net
Step 1.10
Issue the bye command to close the established FTP session.
ftp> bye
221 Goodbye.
a1@vr-device>
Step 1.11
Attempt to establish an SSH session with your assigned device by issuing the ssh
routing-instance instance lab@address command. Reference the
instance name associated with your virtual router and the loopback address
assigned to your student device as the destination address.
a1@vr-device> ssh routing-instance local_instance lab@address
The authenticity of host '10.210.14.131 (10.210.14.131)' can't be established.
RSA key fingerprint is 7b:a1:9b:00:6e:7f:aa:5b:65:b3:b2:4c:5e:d6:8e:f2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.210.14.131' (RSA) to the list of known hosts.
lab@10.210.14.131's password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
lab@srxA-1>
Step 1.13
Attempt to establish a Telnet session with your assigned device. Use the loopback
address assigned to your device as the destination address. Use the lab user
account when testing this service.
Note
www.juniper.net
State
Full
Full
ID
192.168.2.1
192.168.2.1
Pri
128
128
Dead
37
34
www.juniper.net
10.210.14.128/27
10.210.14.131/32
172.18.1.0/30
172.18.1.2/32
172.18.2.0/30
172.20.66.0/30
172.20.66.1/32
172.20.77.0/30
172.20.77.1/32
172.20.101.0/24
172.20.101.1/32
172.20.102.0/24
172.21.0.0/24
172.21.1.0/24
172.21.2.0/24
172.22.0.0/24
172.22.1.0/24
172.22.2.0/24
192.168.1.1/32
192.168.2.1/32
224.0.0.5/32
www.juniper.net
*[Static/5] 14:31:10
> to 172.18.1.1 via ge-0/0/3.0
[OSPF/150] 12:52:11, metric 0, tag 0
to 172.20.77.2 via ge-0/0/1.0
> to 172.20.66.2 via ge-0/0/2.0
*[Direct/0] 17:07:19
> via ge-0/0/0.0
*[Local/0] 17:07:23
Local via ge-0/0/0.0
*[Direct/0] 14:51:36
> via ge-0/0/3.0
*[Local/0] 14:51:36
Local via ge-0/0/3.0
*[OSPF/150] 12:45:06, metric 0, tag 0
to 172.20.77.2 via ge-0/0/1.0
> to 172.20.66.2 via ge-0/0/2.0
*[Direct/0] 14:51:36
> via ge-0/0/2.0
*[Local/0] 14:51:36
Local via ge-0/0/2.0
*[Direct/0] 14:51:36
> via ge-0/0/1.0
*[Local/0] 14:51:36
Local via ge-0/0/1.0
*[Direct/0] 14:51:36
> via ge-0/0/4.101
*[Local/0] 14:51:36
Local via ge-0/0/4.101
*[OSPF/150] 12:45:06, metric 0, tag 0
> to 172.20.77.2 via ge-0/0/1.0
to 172.20.66.2 via ge-0/0/2.0
*[Static/5] 13:01:16
> to 172.20.101.10 via ge-0/0/4.101
*[Static/5] 13:01:16
> to 172.20.101.10 via ge-0/0/4.101
*[Static/5] 13:01:16
> to 172.20.101.10 via ge-0/0/4.101
*[OSPF/150] 11:39:23, metric 0, tag 0
> to 172.20.77.2 via ge-0/0/1.0
to 172.20.66.2 via ge-0/0/2.0
*[OSPF/150] 11:39:23, metric 0, tag 0
> to 172.20.77.2 via ge-0/0/1.0
to 172.20.66.2 via ge-0/0/2.0
*[OSPF/150] 11:39:23, metric 0, tag 0
to 172.20.77.2 via ge-0/0/1.0
> to 172.20.66.2 via ge-0/0/2.0
*[Direct/0] 14:51:36
> via lo0.0
*[OSPF/10] 13:22:31, metric 1
to 172.20.77.2 via ge-0/0/1.0
> to 172.20.66.2 via ge-0/0/2.0
*[OSPF/10] 13:23:22, metric 1
MultiRecv
Firewall Filters (Detailed) Lab 39
STOP
Step 2.2
From your assigned student device, navigate to the [edit firewall] hierarchy
level. Issue the edit family ? command and answer the following question:
www.juniper.net
[edit]
lab@srxA-1# edit firewall
[edit firewall]
lab@srxA-1# edit family ?
Possible completions:
> any
Protocol-independent filter
> bridge
Protocol family BRIDGE for firewall filter
> ccc
Protocol family CCC for firewall filter
> inet
Protocol family IPv4 for firewall filter
> inet6
Protocol family IPv6 for firewall filter
> mpls
Protocol family MPLS for firewall filter
> vpls
Protocol family VPLS for firewall filter
[edit firewall]
lab@srxA-1# edit family
Step 2.4
Create a term named limit-icmp that only permits inbound ICMP packets from
the 10.210.0.0/16 subnet.
[edit firewall family inet filter protect-host]
lab@srxA-1# set term limit-icmp from protocol icmp
[edit firewall family inet filter protect-host]
lab@srxA-1# set term limit-icmp from source-address 10.210.0.0/16
[edit firewall family inet filter protect-host]
lab@srxA-1# set term limit-icmp then accept
Step 2.5
Create a term named limit-ftp that permits inbound FTP packets from the
10.210.0.0/16 subnet.
www.juniper.net
Step 2.6
Create a term named limit-ssh that permits inbound SSH packets from the
10.210.0.0/16 subnet.
[edit firewall family inet filter protect-host]
lab@srxA-1# set term limit-ssh from protocol tcp port ssh
[edit firewall family inet filter protect-host]
lab@srxA-1# set term limit-ssh from source-address 10.210.0.0/16
[edit firewall family inet filter protect-host]
lab@srxA-1# set term limit-ssh then accept
Step 2.7
Create a term named limit-telnet that permits inbound Telnet packets from
the 10.210.0.0/16 subnet.
[edit firewall family inet filter protect-host]
lab@srxA-1# set term limit-telnet from protocol tcp port telnet
[edit firewall family inet filter protect-host]
lab@srxA-1# set term limit-telnet from source-address 10.210.0.0/16
[edit firewall family inet filter protect-host]
lab@srxA-1# set term limit-telnet then accept
Step 2.8
Navigate to the [edit interfaces lo0] hierarchy level and apply the
protect-host firewall filter as an input filter. Issue the commit command to
activate the configuration change.
[edit firewall family inet filter protect-host]
lab@srxA-1# top edit interfaces lo0
[edit interfaces lo0]
lab@srxA-1# set unit 0 family inet filter input protect-host
[edit interfaces lo0]
lab@srxA-1# commit
commit complete
[edit interfaces lo0]
lab@srxA-1#
www.juniper.net
Step 2.9
Return to the session opened for the virtual router attached to your teams device.
From your assigned virtual router, use the ping utility to verify reachability to your
devices loopback address and the Internet host. Refer to the network diagram for
the destination addresses when performing the ping operations.
Note
www.juniper.net
www.juniper.net
www.juniper.net
*[Static/5] 14:48:28
> to 172.18.1.1 via ge-0/0/3.0
*[Direct/0] 17:24:37
> via ge-0/0/0.0
*[Local/0] 17:24:41
Local via ge-0/0/0.0
*[Direct/0] 15:08:54
> via ge-0/0/3.0
*[Local/0] 15:08:54
Local via ge-0/0/3.0
*[Direct/0] 15:08:54
> via ge-0/0/2.0
*[Local/0] 15:08:54
Local via ge-0/0/2.0
*[Direct/0] 15:08:54
> via ge-0/0/1.0
*[Local/0] 15:08:54
Local via ge-0/0/1.0
*[Direct/0] 15:08:54
> via ge-0/0/4.101
www.juniper.net
172.20.101.1/32
172.21.0.0/24
172.21.1.0/24
172.21.2.0/24
192.168.1.1/32
224.0.0.5/32
*[Local/0] 15:08:54
Local via ge-0/0/4.101
*[Static/5] 13:18:34
> to 172.20.101.10 via ge-0/0/4.101
*[Static/5] 13:18:34
> to 172.20.101.10 via ge-0/0/4.101
*[Static/5] 13:18:34
> to 172.20.101.10 via ge-0/0/4.101
*[Direct/0] 15:08:54
> via lo0.0
*[OSPF/10] 13:40:40, metric 1
MultiRecv
www.juniper.net
State
Full
Full
ID
192.168.2.1
192.168.2.1
Pri
128
128
Dead
35
38
10.210.14.128/27
10.210.14.131/32
172.18.1.0/30
172.18.1.2/32
172.18.2.0/30
172.20.66.0/30
172.20.66.1/32
172.20.77.0/30
172.20.77.1/32
172.20.101.0/24
172.20.101.1/32
172.20.102.0/24
*[Static/5] 14:55:12
> to 172.18.1.1 via ge-0/0/3.0
[OSPF/150] 00:00:34, metric 0, tag 0
> to 172.20.77.2 via ge-0/0/1.0
to 172.20.66.2 via ge-0/0/2.0
*[Direct/0] 17:31:21
> via ge-0/0/0.0
*[Local/0] 17:31:25
Local via ge-0/0/0.0
*[Direct/0] 15:15:38
> via ge-0/0/3.0
*[Local/0] 15:15:38
Local via ge-0/0/3.0
*[OSPF/150] 00:00:34, metric 0, tag 0
to 172.20.77.2 via ge-0/0/1.0
> to 172.20.66.2 via ge-0/0/2.0
*[Direct/0] 15:15:38
> via ge-0/0/2.0
*[Local/0] 15:15:38
Local via ge-0/0/2.0
*[Direct/0] 15:15:38
> via ge-0/0/1.0
*[Local/0] 15:15:38
Local via ge-0/0/1.0
*[Direct/0] 15:15:38
> via ge-0/0/4.101
*[Local/0] 15:15:38
Local via ge-0/0/4.101
*[OSPF/150] 00:00:34, metric 0, tag 0
www.juniper.net
172.21.0.0/24
172.21.1.0/24
172.21.2.0/24
172.22.0.0/24
172.22.1.0/24
172.22.2.0/24
192.168.1.1/32
192.168.2.1/32
224.0.0.5/32
www.juniper.net
www.juniper.net
discard;
}
}
term limit-telnet {
from {
source-address {
10.210.0.0/16 except;
0.0.0.0/0;
}
protocol tcp;
port telnet;
}
then {
count count-limit-telnet;
discard;
}
}
term else-accept {
then {
count count-else-accept;
accept;
}
}
[edit firewall family inet filter protect-host]
lab@srxA-1#
Step 2.16
Return to the [edit interfaces lo0] hierarchy level and reactivate the
protect-host filter. Issue the commit and-quit command to activate the
configuration changes and return to operational mode.
[edit firewall family inet filter protect-host]
lab@srxA-1# top edit interfaces lo0
[edit interfaces lo0]
lab@srxA-1# activate unit 0 family inet filter
[edit interfaces lo0]
lab@srxA-1# show
unit 0 {
family inet {
filter {
input protect-host;
}
address 192.168.1.1/32;
}
}
[edit interfaces lo0]
lab@srxA-1# commit and-quit
commit complete
Exiting configuration mode
lab@srxA-1>
Lab 322 Firewall Filters (Detailed)
www.juniper.net
Step 2.17
Issue the show ospf neighbor and show route commands again to verify
that the state of the OSPF neighbors is Full and that OSPF routes are still present.
lab@srxA-1> show ospf neighbor
Address
Interface
172.20.77.2
ge-0/0/1.0
172.20.66.2
ge-0/0/2.0
State
Full
Full
ID
192.168.2.1
192.168.2.1
Pri
128
128
Dead
36
36
10.210.14.128/27
10.210.14.131/32
172.18.1.0/30
172.18.1.2/32
172.18.2.0/30
172.20.66.0/30
172.20.66.1/32
172.20.77.0/30
172.20.77.1/32
172.20.101.0/24
172.20.101.1/32
172.20.102.0/24
172.21.0.0/24
172.21.1.0/24
172.21.2.0/24
172.22.0.0/24
www.juniper.net
*[Static/5] 15:02:09
> to 172.18.1.1 via ge-0/0/3.0
[OSPF/150] 00:07:31, metric 0, tag 0
> to 172.20.77.2 via ge-0/0/1.0
to 172.20.66.2 via ge-0/0/2.0
*[Direct/0] 17:38:18
> via ge-0/0/0.0
*[Local/0] 17:38:22
Local via ge-0/0/0.0
*[Direct/0] 15:22:35
> via ge-0/0/3.0
*[Local/0] 15:22:35
Local via ge-0/0/3.0
*[OSPF/150] 00:07:31, metric 0, tag 0
to 172.20.77.2 via ge-0/0/1.0
> to 172.20.66.2 via ge-0/0/2.0
*[Direct/0] 15:22:35
> via ge-0/0/2.0
*[Local/0] 15:22:35
Local via ge-0/0/2.0
*[Direct/0] 15:22:35
> via ge-0/0/1.0
*[Local/0] 15:22:35
Local via ge-0/0/1.0
*[Direct/0] 15:22:35
> via ge-0/0/4.101
*[Local/0] 15:22:35
Local via ge-0/0/4.101
*[OSPF/150] 00:07:31, metric 0, tag 0
> to 172.20.77.2 via ge-0/0/1.0
to 172.20.66.2 via ge-0/0/2.0
*[Static/5] 13:32:15
> to 172.20.101.10 via ge-0/0/4.101
*[Static/5] 13:32:15
> to 172.20.101.10 via ge-0/0/4.101
*[Static/5] 13:32:15
> to 172.20.101.10 via ge-0/0/4.101
*[OSPF/150] 00:07:31, metric 0, tag 0
to 172.20.77.2 via ge-0/0/1.0
> to 172.20.66.2 via ge-0/0/2.0
Firewall Filters (Detailed) Lab 323
172.22.1.0/24
172.22.2.0/24
192.168.1.1/32
192.168.2.1/32
224.0.0.5/32
www.juniper.net
Step 2.19
From the virtual router, attempt to establish FTP, SSH, and Telnet sessions with your
assigned device. Use the loopback address assigned to your device as the
destination address. Use the lab user account when testing these services.
Note
Note
www.juniper.net
Bytes
18241
64
1260
64
128
Packets
250
1
15
1
2
STOP
www.juniper.net
www.juniper.net
Lab 4
Class of Service (Optional)(Detailed)
Overview
This lab explores basic class of service (CoS) configuration for devices running the
Junos operating system. In this lab, you use the command-line interface (CLI) to define,
apply, and monitor CoS components.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
www.juniper.net
Step 1.3
Log in to the student device with the username lab using a password of lab123.
Note that both the name and password are case-sensitive. Enter configuration mode
and load the reset configuration file using the load override /var/home/
lab/jre/lab4-start.config command. After the configuration has been
loaded, commit the changes.
Lab 42 Class of Service (Optional)(Detailed)
www.juniper.net
srxA-1 (ttyp0)
login: lab
Password:
--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
lab@srxA-1> configure
Entering configuration mode
[edit]
lab@srxA-1# load override jre/lab4-start.config
load complete
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
Step 1.4
Navigate to the [edit interfaces] hierarchy level and add the additional
logical interface to the ge-0/0/4 interface. For addressing and other interface
configuration details, refer to the network diagram for this lab.
[edit]
lab@srxA-1# edit interfaces
[edit interfaces]
lab@srxA-1# set ge-0/0/4 unit vlan-id family inet address address/24
[edit interfaces]
lab@srxA-1# set ge-0/0/4 unit vlan-id vlan-id vlan-id
[edit interfaces]
lab@srxA-1#
Step 1.5
Display the resulting configuration and verify that it is correct. Once you are satisfied
with the interface configuration, issue the commit command to activate the
changes.
[edit interfaces]
lab@srxA-1# show ge-0/0/4
vlan-tagging;
unit 101 {
vlan-id 101;
family inet {
address 172.20.101.1/24;
}
}
unit 201 {
vlan-id 201;
family inet {
address 172.20.201.1/24;
www.juniper.net
}
}
[edit interfaces]
lab@srxA-1# commit
commit complete
Step 1.6
Use the ping utility to verify reachability to both virtual routers attached to your
device.
[edit interfaces]
lab@srxA-1# run ping address rapid count 25
PING 172.20.101.10 (172.20.101.10): 56 data bytes
!!!!!!!!!!!!!!!!!!!!!!!!!
--- 172.20.101.10 ping statistics --25 packets transmitted, 25 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.537/4.971/12.238/2.008 ms
[edit interfaces]
lab@srxA-1# run ping address rapid count 25
PING 172.20.201.10 (172.20.201.10): 56 data bytes
!!!!!!!!!!!!!!!!!!!!!!!!!
--- 172.20.201.10 ping statistics --25 packets transmitted, 25 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.299/9.487/124.851/23.574 ms
www.juniper.net
from {
route-filter 172.20.101.0/24 exact;
route-filter 172.20.201.0/24 exact;
}
then accept;
}
[edit policy-options policy-statement ospf-export]
lab@srxA-1# commit
commit complete
[edit policy-options policy-statement ospf-export]
lab@srxA-1#
Note
Pri
128
Dead
35
www.juniper.net
www.juniper.net
Step 1.10
Log in to the virtual router using the login information shown in the following table:
Virtual Router Login Details
Student Device
Username
Password
srxA-1
a1
lab123
srxA-2
a2
lab123
srxB-1
b1
lab123
srxB-2
b2
lab123
srxC-1
c1
lab123
srxC-2
c2
lab123
srxD-1
d1
lab123
srxD-2
d2
lab123
vr-device (ttyp0)
login: username
Password:
--- JUNOS 11.4R1.6 built 2011-11-15 11:28:05 UTC
NOTE: This router is divided into many virtual routers used by different teams.
Please only configure your own virtual router.
You must use 'configure private' to configure this router.
a1@vr-device>
Step 1.11
From both of your assigned virtual routers, use the ping utility to verify reachability
to each of the remote virtual routers connected to the remote student device. Refer
to the network diagram for the destination addresses when performing the ping
operations.
Note
!!!!!!!!!!!!!!!!!!!!!!!!!
--- 172.20.102.10 ping statistics --25 packets transmitted, 25 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.222/17.445/322.150/62.205 ms
a1@vr-device> ping routing-instance local_instance remote_vr_address rapid
count 25
PING 172.20.202.10 (172.20.202.10): 56 data bytes
!!!!!!!!!!!!!!!!!!!!!!!!!
--- 172.20.202.10 ping statistics --25 packets transmitted, 25 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.374/9.590/124.417/23.453 ms
a1@vr-device> ping routing-instance local_instance remote_vr_address rapid
count 25
PING 172.20.102.10 (172.20.102.10): 56 data bytes
!!!!!!!!!!!!!!!!!!!!!!!!!
--- 172.20.102.10 ping statistics --25 packets transmitted, 25 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.809/10.205/124.041/23.248 ms
a1@vr-device> ping routing-instance local_instance remote_vr_address rapid
count 25
PING 172.20.202.10 (172.20.202.10): 56 data bytes
!!!!!!!!!!!!!!!!!!!!!!!!!
--- 172.20.202.10 ping statistics --25 packets transmitted, 25 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.058/5.216/5.915/0.577 ms
a1@vr-device>
www.juniper.net
Forwarding Class
Bandwidth and
Buffer Allocation
(%)
Priority
best-effort
40
Low
admin
45
Medium-low
voip
10
High
network-control
Medium-high
Step 2.1
Return to the session opened to your assigned student device.
From your assigned student device, navigate to the top of the hierarchy and load the
lab4-part2-start.config file from the/var/home/lab/jre/ directory.
Commit your configuration when complete.
[edit policy-options policy-statement ospf-export]
lab@srxA-1# top
[edit]
lab@srxA-1# load override jre/lab4-part2-start.config
load complete
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
Step 2.2
Navigate to the [edit class-of-service forwarding-classes]
hierarchy level. Configure the forwarding class to queue mappings shown in the
table.
[edit]
lab@srxA-1# edit class-of-service forwarding-classes
www.juniper.net
www.juniper.net
Step 2.4
Configure a scheduler map named my-sched-map that associates each
forwarding class with its corresponding scheduler.
[edit class-of-service schedulers network-control-sched]
lab@srxA-1# up 2
[edit class-of-service]
lab@srxA-1# edit scheduler-maps my-sched-map
[edit class-of-service scheduler-maps my-sched-map]
lab@srxA-1# set forwarding-class best-effort scheduler best-effort-sched
[edit class-of-service scheduler-maps my-sched-map]
lab@srxA-1# set forwarding-class admin scheduler admin-sched
[edit class-of-service scheduler-maps my-sched-map]
lab@srxA-1# set forwarding-class voip scheduler voip-sched
www.juniper.net
Step 2.5
Assign the scheduler map to all configured network interfaces and commit your
configuration when complete. Refer to the network diagram for this lab, if needed.
[edit class-of-service scheduler-maps my-sched-map]
lab@srxA-1# up 2
[edit class-of-service]
lab@srxA-1# edit interfaces
[edit class-of-service interfaces]
lab@srxA-1# set ge-0/0/4 scheduler-map my-sched-map
[edit class-of-service interfaces]
lab@srxA-1# set ge-0/0/1 scheduler-map my-sched-map
[edit class-of-service interfaces]
lab@srxA-1# commit
commit complete
[edit class-of-service interfaces]
lab@srxA-1#
www.juniper.net
Step 3.1
Navigate to the top of the hierarchy and load the lab4-part3-start.config
file from the/var/home/lab/jre/ directory. Commit your configuration when
complete.
[edit class-of-service interfaces]
lab@srxA-1# top
[edit]
lab@srxA-1# load override jre/lab4-part3-start.config
load complete
[edit]
lab@srxA-1# commit
commit complete
[edit]
lab@srxA-1#
Step 3.2
Navigate to the [edit firewall family inet filter
classify-traffic] hierarchy level to create a new firewall filter named
classify-traffic. Create a term named sip that places SIP traffic sourced
from the locally attached vr10V virtual router subnet (where V is the virtual router
specified in the lab diagrams) into the voip forwarding class. SIP traffic uses either
UDP or TCP and Port 5060.
[edit]
lab@srxA-1# edit firewall family inet filter classify-traffic
[edit firewall family inet filter classify-traffic]
lab@srxA-1# set term sip from source-address address/24
[edit firewall family inet filter classify-traffic]
lab@srxA-1# set term sip from protocol [tcp udp] port 5060
[edit firewall family inet filter classify-traffic]
lab@srxA-1# set term sip then forwarding-class voip
[edit firewall family inet filter classify-traffic]
lab@srxA-1# set term sip then accept
[edit firewall family inet filter classify-traffic]
lab@srxA-1#
Step 3.3
Create a term named rtp that places RTP traffic sourced from the locally attached
vr10V virtual router subnet (where V is the virtual router specified in the lab
diagrams) into the voip forwarding class. RTP traffic uses UDP and a port range of
1638432767.
[edit firewall family inet filter classify-traffic]
lab@srxA-1# set term rtp from source-address address/24
www.juniper.net
Step 3.4
Create a term named admin that places traffic with a source address from the
subnet associated with the locally attached vr20V virtual router (where V is the
virtual router specified in the lab diagrams) into the admin forwarding class.
[edit firewall family inet filter classify-traffic]
lab@srxA-1# set term admin from source-address address/24
[edit firewall family inet filter classify-traffic]
lab@srxA-1# set term admin then forwarding-class admin
[edit firewall family inet filter classify-traffic]
lab@srxA-1# set term admin then accept
Step 3.5
Create a term named accept-all that accepts all other traffic and places it in the
default forwarding class.
[edit firewall family inet filter classify-traffic]
lab@srxA-1# set term accept-all then accept
Step 3.6
Apply the classify-traffic firewall filter to your devices tagged interfaces to
process inbound traffic from the directly attached virtual routers. Issue the
commit command to activate the configuration changes.
[edit firewall family inet filter classify-traffic]
lab@srxA-1# top edit interfaces ge-0/0/4
[edit interfaces ge-0/0/4]
lab@srxA-1# set unit vlan-id family inet filter input classify-traffic
[edit interfaces ge-0/0/4]
lab@srxA-1# set unit vlan-id family inet filter input classify-traffic
[edit interfaces ge-0/0/4]
lab@srxA-1# commit
commit complete
[edit interfaces ge-0/0/4]
lab@srxA-1#
www.juniper.net
Step 4.2
Clear the interface statistics using the clear interface statistics all
command.
lab@srxA-1> clear interfaces statistics all
Step 4.3
From your assigned student device, issue the show interfaces queue
ge-0/0/1 command to verify the queueing statistics for the ge-0/0/1 interface.
You should see per-queue traffic statistics. Use these statistics as a baseline for
subsequent tests.
lab@srxA-1> show interfaces queue ge-0/0/1
Physical interface: ge-0/0/1, Enabled, Physical link is Up
Interface index: 132, SNMP ifIndex: 119
Forwarding classes: 8 supported, 4 in use
Egress queues: 8 supported, 4 in use
Queue: 0, Forwarding classes: best-effort
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
www.juniper.net
0 pps
0 bps
0
0
0
0
0
0
0
0 pps
bps
pps
pps
pps
pps
pps
pps
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 1, Forwarding classes: admin
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 2, Forwarding classes: voip
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 3, Forwarding classes: network-control
Queued:
Packets
:
2
Bytes
:
188
Transmitted:
Packets
:
2
Bytes
:
188
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
0
0
0
0
0
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0 pps
0 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
0 pps
368 bps
368
0
0
0
0
0
0
0 pps
bps
pps
pps
pps
pps
pps
pps
www.juniper.net
RED-dropped bytes
Low
Medium-low
Medium-high
High
:
:
:
:
:
0
0
0
0
0
0
0
0
0
0
bps
bps
bps
bps
bps
--- 172.20.102.10 ping statistics --100 packets transmitted, 100 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.299/8.634/322.981/32.003 ms
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0 pps
0 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
www.juniper.net
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 2, Forwarding classes: voip
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 3, Forwarding classes: network-control
Queued:
Packets
:
96
Bytes
:
9008
Transmitted:
Packets
:
96
Bytes
:
9008
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
0
0
0
0
0
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0 pps
0 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
Step 4.6
Return to the session opened to your assigned virtual router.
From the virtual router, use the ping utility to send ICMP traffic from the local
vr20V device to the remote vr20V device (where V is the virtual router specified in
the lab diagrams). Use the count option with a value of 100. You might also want to
include the rapid option to speed up the process. Refer to the network diagram for
the destination address.
www.juniper.net
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
www.juniper.net
High
:
0
Queue: 1, Forwarding classes: admin
Queued:
Packets
:
100
Bytes
:
9800
Transmitted:
Packets
:
100
Bytes
:
9800
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 2, Forwarding classes: voip
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 3, Forwarding classes: network-control
Queued:
Packets
:
136
Bytes
:
12772
Transmitted:
Packets
:
136
Bytes
:
12772
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
www.juniper.net
0 bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0 pps
0 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Step 4.8
Return to the session opened to your assigned virtual router.
From the virtual router, use the telnet utility to simulate SIP traffic from the local
vr10V virtual router to the remote vr10V virtual router (where V is the virtual
router specified in the lab diagrams). Use the port option with a port value of 5060
for this telnet session. Refer to the network diagram for the destination address.
Note
0 pps
0 bps
0
0
0
0
0
0
0
0 pps
bps
pps
pps
pps
pps
pps
pps
www.juniper.net
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 1, Forwarding classes: admin
Queued:
Packets
:
100
Bytes
:
9800
Transmitted:
Packets
:
100
Bytes
:
9800
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 2, Forwarding classes: voip
Queued:
Packets
:
1
Bytes
:
78
Transmitted:
Packets
:
1
Bytes
:
78
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 3, Forwarding classes: network-control
Queued:
Packets
:
151
Bytes
:
14182
Transmitted:
Packets
:
151
Bytes
:
14182
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
www.juniper.net
0
0
0
0
0
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0 pps
0 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
0 pps
0 bps
0
0
0
0
0
0
0
0 pps
bps
pps
pps
pps
pps
pps
pps
RED-dropped bytes
Low
Medium-low
Medium-high
High
:
:
:
:
:
0
0
0
0
0
0
0
0
0
0
bps
bps
bps
bps
bps
Step 5.2
Clear the interface statistics using the run clear interface statistics
all command.
[edit]
lab@srxA-1# run clear interfaces statistics all
Step 5.3
Issue the run show interfaces queue ge-0/0/4 command to view the
queueing statistics. Record the output as baseline statistics.
[edit]
lab@srxA-1# run show interfaces queue ge-0/0/4
Physical interface: ge-0/0/4, Enabled, Physical link is Up
Interface index: 135, SNMP ifIndex: 128
Forwarding classes: 8 supported, 4 in use
Egress queues: 8 supported, 4 in use
Queue: 0, Forwarding classes: best-effort
Queued:
Packets
:
0
Bytes
:
0
Lab 424 Class of Service (Optional)(Detailed)
0 pps
0 bps
www.juniper.net
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 1, Forwarding classes: admin
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 2, Forwarding classes: voip
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 3, Forwarding classes: network-control
Queued:
Packets
:
Bytes
:
Transmitted:
www.juniper.net
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0
0
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
0 bps
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
Packets
Bytes
Tail-dropped packets
RED-dropped packets
Low
Medium-low
Medium-high
High
RED-dropped bytes
Low
Medium-low
Medium-high
High
:
:
:
:
:
:
:
:
:
:
:
:
:
0
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
0 bps
0 pps
0 pps
0 pps
0 pps
0 pps
0 pps
0 bps
0 bps
0 bps
0 bps
0 bps
Step 5.5
Configure the ge-0/0/1 interface to use the default IP precedence classifier for
inbound traffic. Activate the configuration changes and return to operational mode
using the commit and-quit command.
[edit class-of-service]
lab@srxA-1# set interfaces ge-0/0/1 unit 0 classifiers inet-precedence default
www.juniper.net
[edit class-of-service]
lab@srxA-1# commit and-quit
commit complete
Exiting configuration mode
lab@srxA-1>
Note
From your assigned student device, issue the show interfaces queue
ge-0/0/4 command and compare it to the baseline statistics you recorded earlier.
You should see that the statistics for queue 1 have incremented.
lab@srxA-1> show interfaces queue ge-0/0/4
Physical interface: ge-0/0/4, Enabled, Physical link is Up
Interface index: 135, SNMP ifIndex: 128
Forwarding classes: 8 supported, 4 in use
Egress queues: 8 supported, 4 in use
Queue: 0, Forwarding classes: best-effort
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 1, Forwarding classes: admin
Queued:
Packets
:
100
Bytes
:
10200
Transmitted:
Packets
:
100
Bytes
:
10200
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 2, Forwarding classes: voip
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Lab 428 Class of Service (Optional)(Detailed)
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0 pps
bps
pps
pps
pps
www.juniper.net
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
Queue: 3, Forwarding classes: network-control
Queued:
Packets
:
Bytes
:
Transmitted:
Packets
:
Bytes
:
Tail-dropped packets :
RED-dropped packets :
Low
:
Medium-low
:
Medium-high
:
High
:
RED-dropped bytes
:
Low
:
Medium-low
:
Medium-high
:
High
:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
bps
bps
bps
bps
bps
0
0
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0 pps
0 bps
0 pps
www.juniper.net
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 2, Forwarding classes: voip
Queued:
Packets
:
1
Bytes
:
64
Transmitted:
Packets
:
1
Bytes
:
64
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
Queue: 3, Forwarding classes: network-control
Queued:
Packets
:
0
Bytes
:
0
Transmitted:
Packets
:
0
Bytes
:
0
Tail-dropped packets :
0
RED-dropped packets :
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
RED-dropped bytes
:
0
Low
:
0
Medium-low
:
0
Medium-high
:
0
High
:
0
www.juniper.net
0
0
0
0
0
0
0
0
0
0
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
0 pps
0 bps
0
0
0
0
0
0
0
0
0
0
0
0
0 pps
bps
pps
pps
pps
pps
pps
pps
bps
bps
bps
bps
bps
STOP
www.juniper.net
A2 Lab Diagrams
www.juniper.net
www.juniper.net
Lab Diagrams A3
A4 Lab Diagrams
www.juniper.net
www.juniper.net
Lab Diagrams A5
A6 Lab Diagrams
www.juniper.net
www.juniper.net
Lab Diagrams A7
A8 Lab Diagrams
www.juniper.net
www.juniper.net
Lab Diagrams A9
www.juniper.net