book

Juniper MX Series, 2nd Edition

by Douglas Richard Hanks, Harry Reynolds, David Roy

September 2016

Intermediate to advanced

1140 pages

30h 11m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Second Edition NotesNo ApologiesBook TopologyInterface NamesAggregate Ethernet AssignmentsLayer 2IPv4 AddressingIPv6 AddressingWhat’s in This Book?Conventions Used in This BookSafari® Books OnlineHow to Contact Us
1. Juniper MX Architecture
Junos OSOne JunosSoftware ReleasesJunos Continuity—JAMSoftware ArchitectureRouting SocketsJunos OS ModernizationJuniper MX ChassisvMXMX80MidrangeMX104MX240MX480MX960MX2010 and MX2020TrioTrio ArchitectureTrio GenerationsBuffering BlockLookup BlockInterfaces BlockDense Queuing BlockLine Cards and ModulesDense Port ConcentratorModular Port ConcentratorPacket WalkthroughModular Interface CardNetwork ServicesSwitch and Control BoardEthernet SwitchSwitch FabricMX Switch Control BoardEnhanced MX Switch Control BoardJ-CellSummaryChapter Review QuestionsChapter Review Answers
2. Bridging, VLAN Mapping, IRB, and Virtual Switches
Isn’t the MX a Router?Layer 2 NetworkingEthernet IIIEEE 802.1QIEEE 802.1QinQJunos InterfacesInterface Bridge ConfigurationBasic Comparison of Service Provider Versus Enterprise StyleService Provider Interface Bridge ConfigurationTaggingEncapsulationService Provider Bridge Domain ConfigurationEnterprise Interface Bridge ConfigurationInterface ModeVLAN RewriteService Provider VLAN MappingStack Data StructureStack OperationsStack Operations MapTag CountBridge Domain RequirementsExample: Push and PopExample: Swap-Push and Pop-SwapBridge DomainsLearning DomainBridge Domain ModesVLAN Normalization and Rewrite OperationsBridge Domain OptionsShow Bridge Domain CommandsClear MAC AddressesMAC AccountingIntegrated Routing and BridgingIRB AttributesVirtual SwitchConfigurationVXLANVXLAN as a Layer 2 OverlayVXLAN on MX SeriesSummaryChapter Review QuestionsChapter Review Answers
3. Stateless Filters, Hierarchical Policing, and Tri-Color Marking
Firewall Filter and Policer OverviewStateless Versus StatefulStateless Filter ComponentsFilters Versus Routing PolicyFilter ScalingFiltering Differences for MPC Versus DPCFilter OperationStateless Filter ProcessingPolicingRate Limiting: Shaping or Policing?Junos Policer OperationCascaded PolicersSingle and Two-Rate Three-Color PolicersHierarchical PolicersApplying Filters and PolicersFilter Application PointsApplying PolicersPolicer Context SummaryPolicer Application RestrictionsAdvanced Filtering FeaturesEnhanced Filter Modeflexible-match FilterFast Lookup FilterAdvanced Filtering SummaryBridge Filtering Case StudyFilter Processing in Bridged and Routed EnvironmentsMonitor and Troubleshoot Filters and PolicersBridge Family Filter and Policing Case StudyBridge Filtering SummaryService Provider DDOS Filtering Case StudySummaryChapter Review QuestionsChapter Review Answers
4. Routing Engine Protection and DDoS Prevention
RE Protection Case StudyIPv4 RE Protection FilterIPv6 RE Protection FilterDDoS Protection Case StudyThe Issue of Control Plane DepletionDDoS Operational OverviewDDoS Configuration and Operational VerificationDDoS Case StudyThe Attack Has Begun!Suspicious Control Flow DetectionSCFD VocabularyConfigure Flow DetectionCase Study: Suspicious Flow DetectionSuspicious Control Flow Detection SummaryMitigate DDoS AttacksBGP Flow-Specification to the RescueWhat’s New in the World of Flow-Spec?BGP Flow-Specification Case StudyLet the Attack Begin!SummaryChapter Review QuestionsChapter Review Answers
5. Trio Class of Service
MX CoS CapabilitiesPort Versus Hierarchical Queuing MPCsCoS Capabilities and ScaleTrio CoS FlowIntelligent OversubscriptionThe Remaining CoS Packet FlowCoS Processing: Port- and Queue-Based MPCsKey Aspects of the Trio CoS ModelTrio CoS Processing SummaryHierarchical CoSThe H-CoS Reference ModelLevel 4: QueuesLevel 3: IFLLevel 2: IFL-SetsLevel 1: IFDRemainingInterface Modes and Excess Bandwidth SharingPriority-Based ShapingFabric CoSControl CoS on Host-Generated TrafficH-CoS SummaryPer-VLAN Queuing for Non-Queuing MPCsPer-Unit Scheduler Case Study on MPC4ePer-Unit Scheduling for Non-Q MPC SummaryTrio Scheduling and QueuingScheduling DisciplineScheduler Priority LevelsScheduler ModesH-CoS and Aggregated Ethernet InterfacesSchedulers, Scheduler Maps, and TCPsTrio Scheduling and Priority SummaryMX Trio CoS DefaultsFour Forwarding Classes, but Only Two QueuesDefault BA and Rewrite Marker TemplatesMX Trio CoS Defaults SummaryFlexible Packet RewritePolicy Map SummaryPredicting Queue ThroughputWhere to Start?Trio CoS Proof-of-Concept Test LabPredicting Queue Throughput SummaryCoS LabConfigure Unidirectional CoSVerify Unidirectional CoSConfirm Scheduling BehaviorAdd H-CoS for Subscriber AccessConfigure H-CoSVerify H-CoSTrio CoS SummaryChapter Review QuestionsChapter Review Answers
6. MX Virtual Chassis
What Is Virtual Chassis?MX-VC TerminologyMX-VC Use CaseMX-VC RequirementsMX-VC ArchitectureMX-VC Interface NumberingMX-VC Packet WalkthroughVirtual Chassis TopologyMastership ElectionPreserving VCP BandwidthSummaryMX-VC ConfigurationChassis Serial NumberMember IDR1 VCP InterfaceRouting Engine GroupsVirtual Chassis ConfigurationR2 VCP InterfaceVirtual Chassis VerificationRevert to StandaloneSummaryVCP Interface Class of ServiceVCP Traffic EncapsulationVCP Class of Service WalkthroughForwarding ClassesSchedulersClassifiersRewrite RulesFinal ConfigurationVerificationSummaryChapter Review QuestionsChapter Review Answers
7. Trio Load Balancing
Junos Load Balancing OverviewPer-Prefix Versus Per-Flow Load BalancingHashingHash ComputationThe Next-HopJunos Load Balancing SummaryTrio Load Balancing and Backward CompatibilityHost Outbound Load BalancingConfigure Per-Family Load BalancingFamily and Enhanced Hash Field SummaryWhat About Multicast?Advanced Load BalancingThe Problem of PolarizationSymmetric Load BalancingConsistent HashingAdaptive Load BalancingSummaryChapter Review QuestionsChapter Review Answers
8. Trio Inline Services
What Are Trio Inline Services?J-FlowJ-Flow EvolutionInline IPFIX PerformanceInline IPFIX Software ArchitectureInline IPFIX ConfigurationInline IPFIX VerificationIPFIX SummaryNetwork Address TranslationTypes of NATServices Inline InterfaceService SetsDestination NAT ConfigurationNetwork Address Translation SummaryTunnel ServicesEnabling Tunnel ServicesA Tunneled Packet WalkthroughTunnel Services RedundancyInline GRE with Filter-Based TunnelCase Study: Traffic Mitigation Based on GRE Filter-Based TunnelCase Study: Interconnect Logical and Physical RoutersTunnel Services SummaryPort MirroringPort Mirror Supported FamiliesPort Mirroring Case StudyPort Mirroring SummaryLayer 2 AnalyzerLayer 2 Analyzer ConfigurationLayer 2 Analyzer Case StudyLayer 2 Analyzer SummarySummaryChapter Review QuestionsChapter Review Answers
9. Multi-Chassis Link Aggregation
Multi-Chassis Link AggregationMC-LAG State OverviewMC-LAG Family SupportMulti-Chassis Link Aggregation Versus MX Virtual ChassisMC-LAG SummaryInter-Chassis Control ProtocolICCP HierarchyICCP Topology GuidelinesHow to Configure ICCPICCP Configuration GuidelinesICCP Split BrainICCP SummaryMC-LAG ModesActive-StandbyActive-ActiveMC-LAG Modes SummaryCase StudyLogical Interfaces and Loopback AddressingLayer 2Layer 3MC-LAG ConfigurationConnectivity VerificationCase Study SummarySummaryChapter Review QuestionsChapter Review Answers

10. Junos High Availability on MX Routers
Junos High-Availability Feature OverviewGraceful Routing Engine SwitchoverThe GRES ProcessConfigure GRESGRES SummaryGraceful RestartGR ShortcomingsGraceful Restart Operation: OSPFGraceful Restart and Other Routing ProtocolsConfigure and Verify OSPF GRGraceful Restart SummaryNonstop Routing and BridgingReplication, the Magic That Keeps Protocols RunningNonstop BridgingCurrent NSR/NSB SupportThis NSR Thing Sounds Cool: So What Can Go Wrong?Configure NSR and NSBVerify NSR and NSBNSR SummaryIn-Service Software UpgradesISSU OperationISSU Layer 3 Protocol SupportISSU Layer 2 SupportISSU: A Double-Edged KnifeISSU SummaryISSU LabVerify ISSU ReadinessPerform an ISSUSummaryChapter Review QuestionsChapter Review Answers
11. The Virtual MX
Why Use vMX and for What Purpose?Physical or VirtualBenefits of Using vMXDeployments to Use with vMXA Technical Overview of vMXSeveral vMX Instances per ServerNetwork Virtualization Techniques for vMXvMX LicensingSummaryvMX and the Virtual WorldVirtualization ConceptsSummaryResources for Installing vMX for Lab SimulationvMX Initial ConfigurationTechnical Details of the vMXVCP/VFP ArchitecturevMX Packet WalkthroughThe vMX QoS ModelSummaryChapter Review QuestionsChapter Review Answers
Index

Content preview from Juniper MX Series, 2nd Edition

Chapter 4. Routing Engine Protection and DDoS Prevention

This chapter builds upon the last by providing a concrete example of stateless firewall filter and policer usage in the context of a Routing Engine protection filter, and also demonstrates the new Trio-specific DDoS prevention feature that hardens the already robust Junos control plane with no explicit configuration required.

The RE protection topics discussed include:

IPv4 and IPv6 control plane protection filter case study
DDoS feature overview
DDoS protection case study
Mitigating DDoS with BGP flow specification
BGP flow-specification case study

RE Protection Case Study

This case study presents a current best practice example of a stateless filter to protect an MX router’s IPv4 and IPv6 control plane. In addition, the DDoS detection feature, available on Trio-based MX routers starting with release v11.2, is examined and then combined with RE filtering to harden the router against unauthorized access and resource depletion.

As networks become more critical, security and high availability become ever more crucial. The need for secure access to network infrastructure, both in terms of user-level authentication and authorization and all the way to the configuration and use of secure access protocols like SSH, is a given. So much so that these topics have been covered in many recent books. So as to not rehash the same information, readers interested in these topics are directed to Junos Enterprise Routing, Second Edition, ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781491932711Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Juniper MX Series, 2nd Edition

by Douglas Richard Hanks, Harry Reynolds, David Roy

Chapter 4. Routing Engine Protection and DDoS Prevention

RE Protection Case Study

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.