book

Juniper MX Series, 2nd Edition

by Douglas Richard Hanks, Harry Reynolds, David Roy

September 2016

Intermediate to advanced

1140 pages

30h 11m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Second Edition NotesNo ApologiesBook TopologyInterface NamesAggregate Ethernet AssignmentsLayer 2IPv4 AddressingIPv6 AddressingWhat’s in This Book?Conventions Used in This BookSafari® Books OnlineHow to Contact Us
Junos OSOne JunosSoftware ReleasesJunos Continuity—JAMSoftware ArchitectureRouting SocketsJunos OS ModernizationJuniper MX ChassisvMXMX80MidrangeMX104MX240MX480MX960MX2010 and MX2020TrioTrio ArchitectureTrio GenerationsBuffering BlockLookup BlockInterfaces BlockDense Queuing BlockLine Cards and ModulesDense Port ConcentratorModular Port ConcentratorPacket WalkthroughModular Interface CardNetwork ServicesSwitch and Control BoardEthernet SwitchSwitch FabricMX Switch Control BoardEnhanced MX Switch Control BoardJ-CellSummaryChapter Review QuestionsChapter Review Answers
Isn’t the MX a Router?Layer 2 NetworkingEthernet IIIEEE 802.1QIEEE 802.1QinQJunos InterfacesInterface Bridge ConfigurationBasic Comparison of Service Provider Versus Enterprise StyleService Provider Interface Bridge ConfigurationTaggingEncapsulationService Provider Bridge Domain ConfigurationEnterprise Interface Bridge ConfigurationInterface ModeVLAN RewriteService Provider VLAN MappingStack Data StructureStack OperationsStack Operations MapTag CountBridge Domain RequirementsExample: Push and PopExample: Swap-Push and Pop-SwapBridge DomainsLearning DomainBridge Domain ModesVLAN Normalization and Rewrite OperationsBridge Domain OptionsShow Bridge Domain CommandsClear MAC AddressesMAC AccountingIntegrated Routing and BridgingIRB AttributesVirtual SwitchConfigurationVXLANVXLAN as a Layer 2 OverlayVXLAN on MX SeriesSummaryChapter Review QuestionsChapter Review Answers
Firewall Filter and Policer OverviewStateless Versus StatefulStateless Filter ComponentsFilters Versus Routing PolicyFilter ScalingFiltering Differences for MPC Versus DPCFilter OperationStateless Filter ProcessingPolicingRate Limiting: Shaping or Policing?Junos Policer OperationCascaded PolicersSingle and Two-Rate Three-Color PolicersHierarchical PolicersApplying Filters and PolicersFilter Application PointsApplying PolicersPolicer Context SummaryPolicer Application RestrictionsAdvanced Filtering FeaturesEnhanced Filter Modeflexible-match FilterFast Lookup FilterAdvanced Filtering SummaryBridge Filtering Case StudyFilter Processing in Bridged and Routed EnvironmentsMonitor and Troubleshoot Filters and PolicersBridge Family Filter and Policing Case StudyBridge Filtering SummaryService Provider DDOS Filtering Case StudySummaryChapter Review QuestionsChapter Review Answers
RE Protection Case StudyIPv4 RE Protection FilterIPv6 RE Protection FilterDDoS Protection Case StudyThe Issue of Control Plane DepletionDDoS Operational OverviewDDoS Configuration and Operational VerificationDDoS Case StudyThe Attack Has Begun!Suspicious Control Flow DetectionSCFD VocabularyConfigure Flow DetectionCase Study: Suspicious Flow DetectionSuspicious Control Flow Detection SummaryMitigate DDoS AttacksBGP Flow-Specification to the RescueWhat’s New in the World of Flow-Spec?BGP Flow-Specification Case StudyLet the Attack Begin!SummaryChapter Review QuestionsChapter Review Answers
MX CoS CapabilitiesPort Versus Hierarchical Queuing MPCsCoS Capabilities and ScaleTrio CoS FlowIntelligent OversubscriptionThe Remaining CoS Packet FlowCoS Processing: Port- and Queue-Based MPCsKey Aspects of the Trio CoS ModelTrio CoS Processing SummaryHierarchical CoSThe H-CoS Reference ModelLevel 4: QueuesLevel 3: IFLLevel 2: IFL-SetsLevel 1: IFDRemainingInterface Modes and Excess Bandwidth SharingPriority-Based ShapingFabric CoSControl CoS on Host-Generated TrafficH-CoS SummaryPer-VLAN Queuing for Non-Queuing MPCsPer-Unit Scheduler Case Study on MPC4ePer-Unit Scheduling for Non-Q MPC SummaryTrio Scheduling and QueuingScheduling DisciplineScheduler Priority LevelsScheduler ModesH-CoS and Aggregated Ethernet InterfacesSchedulers, Scheduler Maps, and TCPsTrio Scheduling and Priority SummaryMX Trio CoS DefaultsFour Forwarding Classes, but Only Two QueuesDefault BA and Rewrite Marker TemplatesMX Trio CoS Defaults SummaryFlexible Packet RewritePolicy Map SummaryPredicting Queue ThroughputWhere to Start?Trio CoS Proof-of-Concept Test LabPredicting Queue Throughput SummaryCoS LabConfigure Unidirectional CoSVerify Unidirectional CoSConfirm Scheduling BehaviorAdd H-CoS for Subscriber AccessConfigure H-CoSVerify H-CoSTrio CoS SummaryChapter Review QuestionsChapter Review Answers
What Is Virtual Chassis?MX-VC TerminologyMX-VC Use CaseMX-VC RequirementsMX-VC ArchitectureMX-VC Interface NumberingMX-VC Packet WalkthroughVirtual Chassis TopologyMastership ElectionPreserving VCP BandwidthSummaryMX-VC ConfigurationChassis Serial NumberMember IDR1 VCP InterfaceRouting Engine GroupsVirtual Chassis ConfigurationR2 VCP InterfaceVirtual Chassis VerificationRevert to StandaloneSummaryVCP Interface Class of ServiceVCP Traffic EncapsulationVCP Class of Service WalkthroughForwarding ClassesSchedulersClassifiersRewrite RulesFinal ConfigurationVerificationSummaryChapter Review QuestionsChapter Review Answers
Junos Load Balancing OverviewPer-Prefix Versus Per-Flow Load BalancingHashingHash ComputationThe Next-HopJunos Load Balancing SummaryTrio Load Balancing and Backward CompatibilityHost Outbound Load BalancingConfigure Per-Family Load BalancingFamily and Enhanced Hash Field SummaryWhat About Multicast?Advanced Load BalancingThe Problem of PolarizationSymmetric Load BalancingConsistent HashingAdaptive Load BalancingSummaryChapter Review QuestionsChapter Review Answers
What Are Trio Inline Services?J-FlowJ-Flow EvolutionInline IPFIX PerformanceInline IPFIX Software ArchitectureInline IPFIX ConfigurationInline IPFIX VerificationIPFIX SummaryNetwork Address TranslationTypes of NATServices Inline InterfaceService SetsDestination NAT ConfigurationNetwork Address Translation SummaryTunnel ServicesEnabling Tunnel ServicesA Tunneled Packet WalkthroughTunnel Services RedundancyInline GRE with Filter-Based TunnelCase Study: Traffic Mitigation Based on GRE Filter-Based TunnelCase Study: Interconnect Logical and Physical RoutersTunnel Services SummaryPort MirroringPort Mirror Supported FamiliesPort Mirroring Case StudyPort Mirroring SummaryLayer 2 AnalyzerLayer 2 Analyzer ConfigurationLayer 2 Analyzer Case StudyLayer 2 Analyzer SummarySummaryChapter Review QuestionsChapter Review Answers
Multi-Chassis Link AggregationMC-LAG State OverviewMC-LAG Family SupportMulti-Chassis Link Aggregation Versus MX Virtual ChassisMC-LAG SummaryInter-Chassis Control ProtocolICCP HierarchyICCP Topology GuidelinesHow to Configure ICCPICCP Configuration GuidelinesICCP Split BrainICCP SummaryMC-LAG ModesActive-StandbyActive-ActiveMC-LAG Modes SummaryCase StudyLogical Interfaces and Loopback AddressingLayer 2Layer 3MC-LAG ConfigurationConnectivity VerificationCase Study SummarySummaryChapter Review QuestionsChapter Review Answers

Junos High-Availability Feature OverviewGraceful Routing Engine SwitchoverThe GRES ProcessConfigure GRESGRES SummaryGraceful RestartGR ShortcomingsGraceful Restart Operation: OSPFGraceful Restart and Other Routing ProtocolsConfigure and Verify OSPF GRGraceful Restart SummaryNonstop Routing and BridgingReplication, the Magic That Keeps Protocols RunningNonstop BridgingCurrent NSR/NSB SupportThis NSR Thing Sounds Cool: So What Can Go Wrong?Configure NSR and NSBVerify NSR and NSBNSR SummaryIn-Service Software UpgradesISSU OperationISSU Layer 3 Protocol SupportISSU Layer 2 SupportISSU: A Double-Edged KnifeISSU SummaryISSU LabVerify ISSU ReadinessPerform an ISSUSummaryChapter Review QuestionsChapter Review Answers
Why Use vMX and for What Purpose?Physical or VirtualBenefits of Using vMXDeployments to Use with vMXA Technical Overview of vMXSeveral vMX Instances per ServerNetwork Virtualization Techniques for vMXvMX LicensingSummaryvMX and the Virtual WorldVirtualization ConceptsSummaryResources for Installing vMX for Lab SimulationvMX Initial ConfigurationTechnical Details of the vMXVCP/VFP ArchitecturevMX Packet WalkthroughThe vMX QoS ModelSummaryChapter Review QuestionsChapter Review Answers

Content preview from Juniper MX Series, 2nd Edition

Chapter 3. Stateless Filters, Hierarchical Policing, and Tri-Color Marking

This chapter covers stateless firewall filters and policers on MX routers. The MX Series has some special features and hardware that can make firewall filters and policers not only stronger, faster, and smarter, but also, once you get the hang of their operation, easier. So even if you think you know how to protect the Routing Engine, don’t skip this chapter or the next. The MX Series is one awesome piece of iron, and users are always finding new ways to deploy its features for revenue. As critical infrastructure, it’s well worth protecting; after all, the best rock stars have bodyguards these days.

By the way, this chapter is an overview, but is required reading for Chapter 4, where we blast right into case studies of IPv4 and IPv6 Routing Engine protection filters and coverage of the new DDoS policing feature available on Trio platforms. Chapter 4 is not going to pause to go back and reiterate the key concepts found here in Chapter 3.

The topics discussed in this chapter include:

Firewall filtering and policing overview
Filter operation
Policer types and operation
Filter and policer application points
Transit filtering case study: Bridging with BUM protection

Firewall Filter and Policer Overview

The primary function of a firewall filter is to enhance security by blocking packets based on various match criteria. Filters are also used to perform multifield classification, a process whereby ...