JUNOS Cookbook by Aviva Garrett The unconfirmed error reports are from readers. They have not yet been approved or disproved by the author or editor and represent solely the opinion of the reader. Here's a key to the markup: [page-number]: serious technical mistake {page-number}: minor technical mistake : important language/formatting problem (page-number): language change or minor formatting problem ?page-number?: reader question or request for clarification This page was updated June 23, 2008. UNCONFIRMED errors and comments from readers: (16) the example for basic setup the second to last command; In the example for basic setup the second to last command should be: set system login user aviva authentication plain-text-password It says: set system log ..... [69] Fourth Paragraph, first sentence; This is incorrect: "With graceful switchover, the backup Routing Engine regularly synchronizes its configuration and state with the master Routing Engine." JUNOS does not automatically sync its config between RE's. You must either issue commit synchronize or configure automatic synchronization under the "edit system commit" hierarchy. {88} 2nd paragraph of the DISCUSSION section; I have read the demo chapter provided on the JUNIPER website and I have found an error. On the solution part of point 2.9 (Creating a Group Login Account) a noc user is defined. But on the comments of the Discusion section you can read "This second command, set user remote full-name, provides a description of the account". It should say "This second command, set user noc full-name, provides a description of the account" (94) 22 line from the top; (is) # set class operator-plus-read-config permissions idle-timeout 5 (should be) # set class operator-plus-read-config idle-timeout 5 (117) top of page third line; the command is [edit protocols ospf area 0.0.0.0 ] set interface sp-1/2/1 to set the IGP to use the IPSec tunnel interface. on the previous page the interfaces are set as sp-1/2/0.1 service-domain inside sp-1/2/0.2 service-domain outside I believe that the interface should have been [edit protocols ospf area 0.0.0.0 ] set interface sp-1/2/0.1 {283} line 3, 10, 18 from end; In the commands example, all of the "edit policy-options" term should be "edit firewall". {284} line 6; From JUNOS 8.0R, apply multiple firewall filters on an input/output interface is allowed. {287} line 2 from the end; In the statement "Here, the action is to accept the packet (set then accept).", the word packet should be changed to route to match the recipe example. The example is a policy-statement and would be applied on routes only. {288} line 1 (exclude Table 9-3); In the statement "..., if the packet matches all the .....", the word "packet" should be "route" to match the recipe example. (294) line 12 from the end; In the statement "set from route-filter 0.0.0.0/0 or longer", no space should be exist betweeb "or" and "longer". {310} line 17 from the end; Although there are lots of restrictions, we can apply more than only one filter on single interface since JUNOS 8.0R. (312) line 6; In the recipe, the statement "[edit firewall incoming-to-me]" should be "[edit firewall filter incoming-to-me]". {312} line 17 ~ 20; After comparing the discussion on page.313, all the "ICMP/icmp" word here should be "OSPF/ospf". BTW, this recipe is an example for an eBGP border router, add a term to permit ospf packets is unnecessary. (315) line 14; The term "final-accept" here should be "reject-addresses". {317} line 13; For the statement "You can log accepted and rejected packets but not discarded ones.", as same with in page.306 Table 9-6. Here is a piece of filter on our border router: (The address was changed to private address) filter peer_in { interface-specific; term ddos_filter { from { destination-address { /* ddos filtering for customer */ 192.168.157.186/32; } } then { log; discard; } } } I use this term to discard packets flow to my customer, and actually I could use "show firewall log" to view the discard packets log. In JUNOS configuration guide, is says "Discarded packets cannot be logged or sampled." before JUNOS 7.5. Since JUNOS7.6, the statement was removed. We use JUNOS version 7.4R2.6 on our border router. It confused me. {321} line 13 to 10 from the end; A command statement "set from destination-port 3221" is necessary to exactly match xnm traffic. (412) 6th line from the bottom; aviva@RouterG> show route table inet.0 show route table inet.0 192.168.18.1 "show route table inet.0" is printed twice. Should be: aviva@RouterG> show route table inet.0 192.168.18.1 [554] line 24; In the statement "The local PE router pops the VPN label.....", the word "pops" should be "pushes". Because local PE router have to add a VPN label on packet for remote PE router to resolve the correct VRF. {561} line 13 from end; In the statement "when sending routes to local PE router", the word "local" should be "remote" to match the meaning followed the statement. {568} line 13~11 from end; I do not know what JUNOS version that the author used, but the command "routing-options" here is unnecessary. (574) line 6 from end; In the statement "between the remote PE router and the remote PE.....", one of the two "PE router" should be "CE router".