book

JUNOS High Availability

by James Sonderegger, Orin Blomberg, Kieran Milne, Senad Palislamovic

August 2009

Intermediate to advanced

690 pages

20h 14m

English

O'Reilly Media, Inc.

Read now

Unlock full access

JUNOS High Availability
Preface
What Is High Availability?
How to Use This Book
What’s in This Book?
Part IPart IIPart IIIPart IV
Conventions Used in This Book
Using Code Examples
Safari® Books Online
Comments and Questions
Acknowledgments

I. JUNOS HA Concepts
1. High Availability Network Design Considerations
Why Mention Cost in a Technical Book?
A Simple Enterprise Network
Redundancy and the Layered Model
Redundant Site ArchitecturesRedundant Component ArchitecturesCombined Component and Site-Redundant ArchitecturesRedundant System ArchitecturesCombined System- and Site-Redundant ArchitecturesCombined System- and Component-Redundant ArchitecturesCombined System-, Component-, and Site-Redundant Architectures
What Does It All Mean?
2. Hardware High Availability
Divide and Conquer
The Brains: The Routing EngineRE comparisonM SeriesMX SeriesT SeriesEX SeriesSRX SeriesJ SeriesThe Brawn: The Packet Forwarding EngineHardware componentsModel comparisonM SeriesMX SeriesT SeriesEX SeriesSRX SeriesJ Series
Packet Flows
M SeriesMX SeriesT SeriesEX SeriesSRX SeriesJ Series
Redundancy and Resiliency
M SeriesMX SeriesT SeriesJ SeriesSRX SeriesEX Series
3. Software High Availability
Software Architecture
Stable FoundationsModular DesignDaemons
One OS to Rule Them
Single OSForks and trainsNo reeducation through laborOne Release Architecture
Automation of Operations
Configuration ManagementApplication Programming InterfacesScriptingCommit scriptsOperation scriptsEvent policy scripts
4. Control Plane High Availability
Under the Hood of the Routing Engine
Routing Update ProcessStep 1: Verify that the RE and PFEs are upStep 2: Verify that the socket is builtStep 3: Verify that there is a valid TNP communicationStep 4: Verify that BGP adjacencies are establishedStep 5: Verify that BGP updates are being receivedStep 6: Verify that route updates are processed correctlyStep 7: Verify that the correct next hop is being selectedStep 8: Verify that the correct copy of the route is being selected for kernel updateStep 9: Verify that the correct copy of the route is being sent to the forwarding planeStep 10: Verify that the correct copy of the route is being installed into the forwarding plane on the PFE complex
Graceful Routing Engine Switchover
Implementation and ConfigurationConfiguration examplesTroubleshooting GRES
Graceful Restart
Graceful Restart in OSPFConfigurationImmunizing against topology changeGraceful Restart in IS-ISConfigurationGraceful Restart in BGPRestarting the nodePeersConfiguration
MPLS Support for Graceful Restart
Graceful Restart in RSVPConfigurationGraceful Restart in LDPConfigurationGraceful Restart in MPLS-Based VPNsConfigurationGraceful Restart in Multicast Protocols, PIM, and MSDP
Non-Stop Active Routing
Implementation Details and Configs
Non-Stop Bridging
Implementation Details and Configurations
Choosing Your High Availability Control Plane Solution
5. Virtualization for High Availability
Virtual Chassis in the Switching Control Plane
VC RolesIDs for VCsPriorities and the Election ProcessHow to rig an electionBasic VC Setup and ConfigurationEliminating Loops Within the VCHighly Available Designs for VCsManipulating a split VCServer resilience with VCs
Control System Chassis
Requirements and ImplementationConsolidation Example and ConfigurationTaking Consolidation to the Next Level: Scalable Route Reflection
II. JUNOS HA Techniques
6. JUNOS Pre-Upgrade Procedures
JUNOS Package Overview
Software Package Naming ConventionsWhen to Upgrade JUNOS in a High Availability EnvironmentThe Right Target Release for a High Availability EnvironmentHigh Availability Upgrade StrategyConduct a lab trialChoose the device to upgradeEnsure router steady stateSave the working configurationSystem-archive a copy of the working configurationEstablish a quarantine period
Pre-Upgrade Verifications
Filesystems and LogsChecklist
Moving Services Away from a Router
Interface ConfigurationSwitching Ownership of a VRRP Virtual IPIGP Traffic Control TweaksOSPF and the overload bitMoving the designated routerThe overload bit and IS-ISMoving the DISLabel-Switched PathsRSVP-signaled LSPs
7. Painless Software Upgrades
Snapshots
Software Upgrades with Unified ISSU
How It WorksImplementation DetailsConfiguration dependenciesGRES configurationNSR configuration
Software Upgrades Without Unified ISSU
Loading a JUNOS Image
Snapshots Redux
Image Upgrade Tweaks and Options
J Series Considerations
CleanupBackup ImagesRescue Configuration
8. JUNOS Post-Upgrade Verifications
Post-Upgrade Verification
Device StateVerify chassis hardwareCheck for alarmsVerify interfacesVerify memoryNetwork State (Routes, Peering Relationships, and Databases)Verify routingRouting table consistencyState of Existing ServicesFilesystems and LogsInstall logfilesMessages fileSyslog settingsRemoval of Configuration Workarounds
Fallback Procedures
Applicability
9. Monitoring for High Availability
I Love Logs
Syslog OverviewFacilitiesSeverityHeader and MSG partsSyslog PlanningPitfallsImplementing SyslogSample configurationMonitoring syslog
Simple Network Management Protocol
SNMP OverviewNotification categoriesRMON alarmsHealth monitoringSNMP PlanningImplementing SNMPSNMPv3RMONHealth monitoringPitfalls
Traffic Monitoring
Traffic Monitoring OverviewTraffic Monitoring PlanningImplementing Traffic MonitoringPacket samplingPort mirroringCountersRoute MonitoringRoute ViewsCyclopsBGPlayerPitfalls
10. Management Interfaces
A GUI for Junior Techs
Using J-WebJ-Web for High Availability
Mid-Level Techs and the CLI
Event Policy PlanningSample event policy configurationEvent Policies for High Availability
Deep Magic for Advanced Techs
JUNOS APIsXSLTSLAXAutomation ScriptsOperation scriptsEvent scriptsWorking with ScriptsPlanning scriptsLoading and calling scriptsRefreshing scripts
11. Management Tools
JUNOScope
OverviewJUNOScope and High AvailabilityLooking GlassConfiguration ManagerInventory Management SystemSoftware ManagerUsing JUNOScopeJUNOScope installation
Juniper AIS
OverviewAIS for High AvailabilityInstallationAIS planning
Partner Tools
Open IP Service Development Platform (OSDP)Partner Solution Development Platform (PSDP)
12. Managing Intradomain Routing Table Growth
Address Allocation
Interface AddressingJUNOS interface addressing syntaxInfrastructure RoutesCustomer RoutesVirtual Router Redundancy ProtocolNetwork Virtualization and Service OverlaysRouting instancesLogical routersEnable VLAN tagging in the primary logical routerConfiguring the service overlay
Address Aggregation
What Is Aggregation?Practical aggregation for a large domainIs there a risk?Use of the Private Address SpacePrivate addressing and internal servicesPrivate addressing and customer servicesPrivate addressing, NAT, and MIPUse of Public Address SpaceStatic RoutesWhen to configure static routesUsing Protocol Tweaks to Control Routing Table SizeIS-IS areas and levelsOSPF areas
13. Managing an Interdomain Routing Table
Enterprise Size and Effective Management
Small to Medium-Size Enterprise PerspectiveLarge Enterprises and Service ProvidersAS Number
Border Gateway Protocol (BGP)
EBGP Loop PreventionIBGP Loop PreventionIBGP full-mesh requirementsImplications of full mesh for high availabilityAlternatives to full meshRoute ReflectionRoute reflection basicsHigh availability design considerations for route reflectionTurning it onRoute reflectors and policy configurationRoute reflection and next-hop self: What not to doWhat is wrong with this picture?Be terrific; be specificConfederationConfederation syntaxImplications of confederation for high availabilityConfiguration for redundancyHow does multihop affect my routing table?Common High Availability Routing PoliciesLocal address filtersPrefix-length enforcementDefault routes: To block or not to block?Route dampingA “damp” policyImplications of dampingBGP Tweak: Prefix LimitImplications of route and prefix limits
III. Network Availability
14. Fast High Availability Protocols
Protocols for Optical Networks
Ethernet Operations, Administration, and Maintenance (OAM)IEEE 802.1ah and 802.1agSONET/SDH Automatic Protection Switching
Rapid Spanning Tree Protocol
Interior Gateway Protocols
Bidirectional Forwarding Detection
Setting the Interval for BFD Control Packets
Virtual Router Redundancy Protocol
MPLS Path Protection
Fast RerouteNode and Link Protection
15. Transitioning Routing and Switching to a Multivendor Environment
Industry Standards
Multivendor Architecture for High Availability
Two Sensible ApproachesLayered approach to multivendor networksCDA modelPE-CE modelSite-based approach to multivendor networksMultivendor As a Transition StateLayered transitionsSite-based transitions
Routing Protocol Interoperability
Interface ConnectivityOSPF Adjacencies Between Cisco and Juniper EquipmentOSPF authentication keysIBGP PeeringEBGP PeeringThe BGP next hop issueThe other issueSuccess
16. Transitioning MPLS to a Multivendor Environment
Multivendor Reality Check
Cost Concerns
MPLS Signaling for High Availability
A Simple Multivendor TopologyRSVP SignalingTraffic engineeringJuniper–Cisco RSVPRouter r5 configurationLDP SignalingA few LDP implementation differences
MPLS Transition Case Studies
Case Study 1: Transitioning Provider DevicesPhase 1: P router transitionPhase 2: P router transitionPhase 3: P router transitionFinal state: P router transitionCase Study 2: Transitioning Provider Edge DevicesPhase 1: PE router transitionPhase 2: PE router transitionPhase 3: PE router transitionPhase 4: PE router transitionFinal state: PE router transition
17. Monitoring Multivendor Networks
Are You In or Out?
In-Band ManagementOut-of-Band ManagementOoB and fxp0Configuration groups for high availability
SNMP Configuration
JUNOS SNMP ConfigurationIOS SNMP ConfigurationSNMP and MRTG
Syslog Configuration
Syslog in JUNOSSyslog in IOSSyslog and Kiwi
Configuration Management
Configuration for AAA
TACACS+JUNOS authenticationIOS authenticationJUNOS locally defined accounts and authorizationIOS authorizationJUNOS accounting (activity tracking)IOS accounting (activity tracking)
JUNOS GUI Support
What IS Normal?
18. Network Scalability
Hardware Capacity
Device Resources to MonitorControl plane capacity best practicesData plane specifications
Network Scalability by Design
Scaling BGP for High AvailabilityRoute reflectors and clustersWhat’s the point?MPLS for Network Scalability and High AvailabilityBasic LSP configuration syntaxSecondary LSPsHot standbyFast rerouteLink and node-link protectionTraffic Engineering Case Study
19. Choosing, Migrating, and Merging Interior Gateway Protocols
Choosing Between IS-IS and OSPF
OSPFAdvantagesDisadvantagesHigh availability features for OSPF in JUNOS SoftwareLink and node failure detectionAuthenticating packetsDesignated routersGraceful RestartNon-Stop Active RoutingOverloadPrefix limitsBidirectional Forwarding DetectionIS-ISAdvantagesDisadvantagesHigh availability features for IS-IS in JUNOS SoftwareLink and node failure detectionAuthenticating packetsGraceful RestartNon-Stop Active RoutingOverloadPrefix limitsBidirectional Forwarding DetectionWhich Protocol Is “Better”?A final thought
Migrating from One IGP to Another
Migrating from OSPF to IS-ISStep 1: Plan for the migrationStep 2: Add IS-IS to the networkStep 3: Make IS-IS the “preferred” IGPStep 4: Verify the success of the migrationStep 5: Remove OSPF from the networkMigrating from IS-IS to OSPFStep 1: Plan for the migrationStep 2: Add OSPF to the networkStep 3: Make OSPF the “preferred” IGPStep 4: Verify the success of the migrationStep 5: Remove IS-IS from the network
Merging Networks Using a Common IGP
ConsiderationsArea designMatching configuration parametersTunnelingOther Options for Merging IGPsBGPRouting instances
20. Merging BGP Autonomous Systems
Planning the Merge
ArchitectureMaking the choicePitfallsExternal peeringRoute reflector 1Route reflector 2Oscillation commencesOutcomesBGP Migration Features in JUNOSGraceful RestartNon-Stop Active RoutingFull mesh made easy (well, easier)Zen and the art of AS numbersSometimes loopy is OK
Merging Our ASs Off
Merge with Full MeshIBGPBring in the EBGP peerMerge with Route ReflectorsCluster 1Cluster 2Merge with Confederations
Monitoring the Merge
Neighbor PeeringPersistent route oscillation
21. Making Configuration Audits Painless
Why Audit Configurations?
Knowledge Is PowerJUNOS: Configuration Auditing Made Easy
Configuration Auditing 101
Organizing the AuditConfiguration modulesFunctional network areasOrganization involvement
Auditing Configurations
Baseline ConfigurationsSaving a baselineBaseline configuration with JUNOS groupsBaseline configuration with commit scriptsManually Auditing ConfigurationsManual auditing through the GUIManual auditing through the CLIAutomating Configuration AuditsEvent policiesJUNOScopeAdvanced Insight Solution
Performing and Updating Audits
Auditing IntervalsAnalyzing UpdatesAuditing Changes
22. Securing Your Network Equipment Against Security Breaches
Authentication Methods
Local Password AuthenticationRADIUS and TACACS+ AuthenticationAuthentication Order
Hardening the Device
Use a Strong Password, and Encrypt ItDisable Unused Access MethodsControl Physical Access to the DeviceControl Network Access to the DeviceControl and Authenticate Protocol TrafficDefine Access Policies
Firewall Filters
Firewall Filter SyntaxMatch conditionsActionsEvaluating filtersImplicit discardApplying Firewall FiltersUsing Firewall Filters to Protect the NetworkSpoof preventionSecuring a web/FTP serverThe options are endlessUsing Firewall Filters to Protect the Routing EngineStateful Firewalls
23. Monitoring and Containing DoS Attacks in Your Network
Attack Detection
Using Filtering to Detect Ping AttacksUsing Filtering to Detect TCP SYN Attacks
Taking Action When a DoS Attack Occurs
Using Filtering to Block DoS AttacksFilter some, filter allRequest Help from Your Upstream Provider
Attack Prevention
Eliminate Unused ServicesEnable Reverse Path ForwardingUse Firewall FiltersUse Rate LimitingDeploy Products Specifically to Address DoS Attacks
Gathering Evidence
Firewall Logs and CountersPort MirroringSamplingcflowd
24. Goals of Configuration Automation
CLI Configuration Automation
Hierarchical ConfigurationProtections for Manual ConfigurationUser accessExclusive configurationPrivate configurationTransaction-Based ProvisioningStandard commitsCommit with scriptsPersistent changesTransient changesScript processingArchives and RollbackConfiguration stores
Automating Remote Configuration
25. Automated Configuration Strategies
Configuration Change Types
DeploymentNetwork equipmentServicesInfrastructureAd Hoc ChangesWorkaroundsOne-off configurations
Automation Strategies
Global StrategiesDeploymentHardware deploymentInterfacesRouting enginesService deploymentInfrastructureInterfacesRoutingAd Hoc ChangesWorkaroundsJUNOS issuesExternal device issuesOne-off workarounds
IV. Appendixes
A. System Test Plan
Physical Inspection and Power On
Check General System Status
Check for Any Active AlarmsSave the System Hardware Configuration for Future ReferenceCheck Voltages and TemperaturesCheck the Status of the Individual Components
Check Routing Engine and Storage Media
Check Routing Engine StatusCheck Storage Media on Each Routing Engine
Test Optical Interfaces
Configure a Private IP Address and Run Ping TestsRun a loopback test on SONET/SDH interfacesRun a loopback test on Fast Ethernet and Gigabit Ethernet interfaces
Failover and Redundancy Tests
Routing Engine RedundancySFM Redundancy (M40e Platform Only)
Final Burn-In Check
Power Down the RouterPower On the Router/Burn-In TestFinal Checks and Power Down
B. Configuration Audit
Audit Responsibilities
Audit Response Key
Audit Checklist
Audit Interval
C. High Availability Configuration Statements
Routing Engine and Switching Control Board
cfeb
description
failover on-disk-failure
failover on-loss-of-keepalives
failover other-routing-engine
feb (Creating a Redundancy Group)
feb (Assigning a FEB to a Redundancy Group)
keepalive-time
no-auto-failover
redundancy
redundancy-group
routing-engine
sfm
ssb
Graceful Routing Engine Switchover
graceful-switchover
Nonstop Bridging Statements
nonstop-bridging
Nonstop Active Routing
commit synchronize
nonstop-routing
traceoptions
Graceful Restart
disable
graceful-restart
helper-disable
maximum-helper-recovery-time
maximum-helper-restart-time
maximum-neighbor-reconnect-time
maximum-neighbor-recovery-time
no-strict-lsa-checking
notify-duration
reconnect-time
recovery-time
restart-duration
restart-time
stale-routes-time
traceoptions
VRRP
accept-data
advertise-interval
authentication-key
authentication-type
bandwidth-threshold
fast-interval
hold-time
inet6-advertise-interval
interface
preempt
priority
priority-cost
priority-hold-time
route
startup-silent-period
traceoptions
track
virtual-address
virtual-inet6-address
virtual-link-local-address
vrrp-group
vrrp-inet6-group
Unified In-Service Software Upgrade (ISSU)
no-issu-timer-negotiation
traceoptions
Index
About the Authors
Colophon
Copyright

Content preview from JUNOS High Availability

Syslog Configuration

System logging, or syslog, is a commonly implemented standard for managing and monitoring devices in a network. In many ways, syslog behaves similarly to SNMP traps. When specific events occur, syslog triggers messages that are logged on the local chassis and that are typically also sent to a syslog server. While syslog does have a number of recognized limitations, it is appropriate for multivendor environments because it is standardized by the Internet Engineering Task Force (IETF) and is widely supported among network hardware vendors.

Syslog in JUNOS

In a JUNOS system, logs can be stored on the local chassis, written to the screen of an active user, or written to a remote device. In the following configuration sample, user Pike_Vaughn sees syslog messages of facility (category) any and severity info on his screen when he is logged into the chassis. The host machine at 192.168.17.17 receives system log notices sourced from IP address 10.0.0.5.

As with SNMP, defining the source IP is critical because many syslog servers filter entries based on their source. Definition of source IP is also necessary if you use event correlation tools to parse and analyze entries written to a syslog server. Without a specified source-address, the outbound interface is used as the source of the syslog send back to the server. Depending on what form of management is used (in-band versus OoB), that OoB interface could potentially change in times of network trouble:

[edit system syslog] ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Juniper Networks® Field Guide and Reference

Publisher Resources

ISBN: 9780596805449Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

JUNOS High Availability

by James Sonderegger, Orin Blomberg, Kieran Milne, Senad Palislamovic

Syslog Configuration

Syslog in JUNOS

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

Juniper Networks® Field Guide and Reference

Network Performance Baselining

CCNP Collaboration Cloud and Edge Solutions CLCEI 300-820 Official Cert Guide

Juniper QFX10000 Series

Publisher Resources