Tag Archives: security

Checking ISO and/or File Images via CLI

If you have downloaded an iso or image and you want to check that image/iso hasn’t been tampered or corrupted. Ubuntu has a md5 and sha hash checker pre-installed within the OS.

For MD5 checking you will use md5sum

md5sum path/to/image

[email protected]:/tmp$ md5sum ubuntu-14.04.2-server-amd64.iso 
83aabd8dcf1e8f469f3c72fff2375195  ubuntu-14.04.2-server-amd64.iso

For Sha checking, you will use one of the below (depending on the hashing value)

[email protected]:~$ sha
sha1sum       sha256sum     sha512sum     shasum        
sha224sum     sha384sum     shadowconfig

sha1 path/to/image

[email protected]:/tmp$ sha1sum ubuntu-14.04.2-server-amd64.iso 
3bfa6eac84d527380d0cc52db9092cde127f161e  ubuntu-14.04.2-server-amd64.iso

You then can check the md5/sha hashes against the known correct has values. If they match (which these do):

Screenshot 2015-07-03 09.19.05
Screenshot 2015-07-03 09.18.39

 

 

 

 

 

 

 

 

You are good to go, knowing you have a legit version! 😀

Share this:
Share

Securing Webpages with .htaccess

You will need to have following installed or available:

sudo and/or root privilages
text editor (nano or vi)
apache2-utils

Firstly you will need to enable apache to allow overrides. You will need to edit your apache config file.

sudo nano /etc/apache2/sites-available/exmaple.co.conf

You will need to add the AllowOverride All within the section. You have to manual set the directory section to the folder you want to protect. In this example, I just wanted to protect anything within the html folder


 AllowOverride All

Normally (from my experience) their isn’t a Directory section, so you can just copy and paste the code into your file. In the end it should look something like this:

<VirtualHost *:80>
ServerName example.co
ServerAlias example.co
ServerAdmin [email protected]
DocumentRoot /var/www/example.co/html
 <Directory /var/www/example.co/html/>
   AllowOverride All
 </Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Once you have saved and closed, you will need to apply the change via an apache restart

sudo service apache2 restart

Next, create the .htaccess

touch .htaccess

Within the .htaccess, you will need to add the following details:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /home/example/.htpasswd
Require valid-user

Save and close, once the details have been added.

Finally, we will need to add users that can have access to the newly restricted folder

sudo htpasswd -c /home/example/.htpasswd {username}

You will prompted to enter a password that will not be shown.

If you wanted to additional users, you will use the same command without -c

sudo htpasswd /home/example/.htpasswd {username}

Now you should be able to browser to the website/folder and be greeted with login prompt 😀

For more in-depth detail and explanation visit Digital Ocean’s htaccess guide

Share this:
Share

JNCIA Refresher #4 – Routing Fundamentals

Packet Forwarding Concepts
Routing Tables
Routing vs. Forwarding Tables
Route Preference
Routing Instances
Static Routing
Dynamic Routing Protocols

Packet Forwarding Concepts

Packet forwarding is the movement of data packets from device to device. This is key for any network, as if the networking devices don’t know how to move a packet outside of its own segment/area, the packet will be dropped and the reason we have networks is to move data/information from one place to another. With that being said, a device doesn’t need to know whole Internet or even a whole network. The most important information; a switch, router or any layer 2/3 device needs to know is the next-hop address. The next-hop provides an exit for the device if the destination of the packet isn’t located on the device, it will pass the packet on to “the next hop” device and that device will do the same thing until the destination of the packet is located. This is basis of packet forwarding.

A Juniper device (or any network device in fact) will have Routing Engine (RE) and Packet Forwarding Engine (PFE). These engines (software or hardware based) are what will used to move packets and ultimately controls the routing on the device.

The Routing Engine is the control plane of the device. The control plane is where all the Routing Information Base (RIB) will be stored and from the RE the creation of the packet forwarding switching fabric that will be used for the movement of packets. The RE is responsible for providing filtering information, route lookups and determining of what the next-hop address will be. It is important to note, that the RE does not control how the packets are moved, it is where the RIB is stored. The Packet Forwarding Engine uses this information.

The Packet Forwarding Engine is the where the forwarding of transit traffic is processed. The PFE directly affects the packets. The PFE will use the information from the RE and apply the information to the packets by applying any firewall filters, routing and/or security policies before forwarding the packet onto the next-hop destination.

Routing Tables

With Junos, it is different compared to other vendors when it comes to see information within the Routing Table. Other vendors will have multiple commands that you use will use to see different tables (i.e. the routing table for IPv4 and IPv6). In Junos, we just need to use the show route command we will see the multiple routing tables under the single command. Each of the tables are populated with routes as and when they are needed, you can say each of table is a database of information for it’s particular routing type.

As you can see, my router only has IPv4 currently configured, so it will only have the inet.0 table

[email protected]_SRX> show route 

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 1d 23:54:16
                    > to 10.1.0.1 via ge-0/0/7.0
10.1.0.0/24        *[Direct/0] 1d 23:54:16
                    > via ge-0/0/7.0
10.1.0.207/32      *[Local/0] 1d 23:54:20
                      Local via ge-0/0/7.0
172.31.100.2/31    *[Direct/0] 1d 23:54:16
                    > via ge-0/0/1.0
172.31.100.2/32    *[Local/0] 1d 23:54:20
                      Local via ge-0/0/1.0

It is important to note, that I have 5 routes and they all active. When looking at the routing table ideally you would like to have Active routes. Routes in holddown state are in pending state before declared inactive. Hidden routes are not in the routing table because of a routing policy.

Juniper’s definition on Routing Tables

Junos OS automatically creates and maintains several routing tables. Each routing table is used for a specific purpose. In addition to these automatically created routing tables, you can create your own routing tables. Each routing table populates a portion of the forwarding table. Thus, the forwarding table is partitioned based on routing tables. This allows for specific forwarding behaviour for each routing table.

The table below shows, all the tables that are created by default by Junos. At the JNCIA level you will only need to worry about the inet.0 and inet6.0 tables. However it’s always good to have bit more info to look into later 😀

Junos Default Routing Tables
Routing Table Description
inet.0 IPv4 unicast routes. This table stores interface local and direct routes, static routes, and dynamically learned routes.
inet.2 This table is created when multiprotocol BGP (MBGP) is enabled. This table stores unicast routes that are used for multicast reverse-path-forwarding (RPF) lookup. You can import routes from inet.0 into inet.2 using routing information base (RIB) groups, or install routes directly into inet.2 from a multicast routing protocol.
inet.3 IPv4 MPLS routes. This table stores the egress address of an MPLS label-swiched path (LSP), the LSP name, and the outgoing interface name. This routing table is used only when the local device is the ingress node to an LSP.
inet6.0 IPv6 unicast routes. This table stores interface local and direct routes, static routes, and dynamically learned routes.
instance-name.inet.0 This table is created when you configure a routing instance, Junos OS creates the default unicast routing table.
instance-name.inet.2 This table is created when you configure routing-instances instance-name protocols bgp family inet multicast in a routing instance of type VRF, Junos OS creates the instance-name.inet.2 table
bgp.l2vpn.0 This table is created for Layer 2 VPN routes learned from BGP. This table stores routes learned from other provider edge (PE) routers. The Layer 2 routing information is copied into Layer 2 VPN routing and forwarding instances (VRFs) based on target communities.
bgp.l3vpn.0 IPv4 unicast routes. This table is created for Layer 3 VPN routes learned from BGP. This table stores routes learned from other PE routers. R.stores interface local and direct routes, static routes, and dynamically learned routes.
mpls.0 This table is created for MPLS label switching operations. This table is used when the local device is a transit router.
iso.0 This table is for IS-IS routes. When you are using IS-IS to support IP routing, this table contains only the local device’s network entity title (NET)
juniper_private For Junos OS to communicate internally between the Routing Engine and PIC hardware.

Routing vs. Forwarding Tables

The Routing Information Base (RIB) is located within with the Routing Table (RT). As stated in the packet forwarding concepts, the RIB are stored in the Control Plane, this would makes the Routing Table is part of the Control Plane within Junos. As such, the RT has information about all available routes that the router could use, but critically doesn’t make forwarding decisions.

The Forwarding Table (FT) has all the information from the RT, creates the best path for transit traffic and only keeps the best/active paths in compressed or pre-complied format for optimised route lookups. Therefore, the FT is both Control and Forwarding Plane. This makes the relationship between the RT and FT important, as without one, the other will fail.

In essence, the process packet movement would be:

Packet In --> Routing Information Base --> Routing Table --> Forwarding Table --> Packet Out

We can see the different between the Routing and Forwarding Tables. We can view the routing Table by running the show route command. As we can see from the ‘show route’ tab, there is some detail however not a great deal, when compared to the forwarding table.

To see the forwarding table, we will need to run show route forwarding-table. We can see from ‘show route forwarding-table’ tab, the level of detail is greater. In addition, from the forwarding-table the key thing you will need to know for the JNCIA exam are the two different types (Destination Types and Next-Hop Types) and what their type variables mean. This is shown below on Destination and Next-Hop Types tabs.

show routeshow route forwarding-tableDestination TypesNext-Hop Types
[email protected]_SRX> show route 

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 3d 20:13:19
                    > to 10.1.0.1 via ge-0/0/7.0
10.1.0.0/24        *[Direct/0] 3d 20:13:19
                    > via ge-0/0/7.0
10.1.0.207/32      *[Local/0] 3d 20:13:23
                      Local via ge-0/0/7.0
172.31.100.2/31    *[Direct/0] 3d 20:13:19
                    > via ge-0/0/1.0
172.31.100.2/32    *[Local/0] 3d 20:13:23
                      Local via ge-0/0/1.0
[email protected]_SRX> show route forwarding-table    
Routing table: default.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            user     0 ac:4b:c8:79:41:10  ucst   554     3 ge-0/0/7.0
default            perm     0                    rjct    36     1
0.0.0.0/32         perm     0                    dscd    34     1
10.1.0.0/24        intf     0                    rslv   547     1 ge-0/0/7.0
10.1.0.0/32        dest     0 10.1.0.0           recv   545     1 ge-0/0/7.0
10.1.0.1/32        dest     0 ac:4b:c8:79:41:10  ucst   554     3 ge-0/0/7.0
10.1.0.17/32       dest     1 18:a9:5:40:1a:0    ucst   556     2 ge-0/0/7.0
10.1.0.207/32      intf     0 10.1.0.207         locl   546     2
10.1.0.207/32      dest     0 10.1.0.207         locl   546     2
10.1.0.255/32      dest     0 10.1.0.255         bcst   544     1 ge-0/0/7.0
172.31.100.2/31    intf     0                    rslv   543     1 ge-0/0/1.0
172.31.100.2/32    intf     0 172.31.100.2       locl   542     2
172.31.100.2/32    dest     0 172.31.100.2       locl   542     2
172.31.100.3/32    dest     1 10:e:7e:4e:f:80    ucst   555     2 ge-0/0/1.0
224.0.0.0/4        perm     0                    mdsc    35     1
224.0.0.1/32       perm     0 224.0.0.1          mcst    31     1
255.255.255.255/32 perm     0                    bcst    32     1
{omitted output}
Destination Type Description
intf (Interface) This is where an interface has been manually configured
dest (Destination) The destination of an address that is directly reachable. You would see an IP address (in the next-hop column) if the address is local or a network address. You would see a mac-address if the address isn’t local
perm (Permanent) This is installed as part of the Junos Kernel and can’t be removed
user (Routing) These are routes learnt via a routing protocol i.e. ISIS, RIP, OSPF, BGP and Static Routes
Next-Hop Type Description
ucst (Unicast) This is where an interface has been manually configured
dscd (Discard) The destination of an address that is directly reachable. You would see an IP address (in the next-hop column) if the address is local or a network address. You would see a mac-address if the address isn’t local
rjct (Reject) This is installed as part of the Junos Kernel and can’t be removed
bcst (Broadcast) These are routes learnt via a routing protocol i.e. ISIS, RIP, OSPF, BGP and Static Routes
locl (Local Address) Local Addresses to the device
mcst (Multicast) Multicast addresses

Route Preference

When we look at the routing table, we can see that see that we have some details about the routes we have learnt:

[email protected]_SRX> show route 

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 3d 20:13:19
                    > to 10.1.0.1 via ge-0/0/7.0
{omitted output}
172.31.100.2/31    *[Direct/0] 3d 20:13:19
                    > via ge-0/0/1.0
172.31.100.2/32    *[Local/0] 3d 20:13:23
                      Local via ge-0/0/1.0

As you can see from the output, we are told the how the route is connected to the device and given a value. The value would be the Route Preference (Known As Administrative Distance). The preference is taken from the RIB to determine, if you receive a route from two different protocols, which route would make the Routing-Table. Its important to note when we have Direct and Local preference, junos uses the most specific route and where in the example above 172.31.100.2 has been assigned as the local interface address it’s given /32 net mask telling the device that this is their address.

The table below has a summary of the default route preference values.

tr>

Route Preference Number Protocol
0 Direct/Local Address
5 Static Route
10 OSPF (Internal)
100 RIP
130 Aggregate Routes (Summary Routes)
150 OSPF (External)
170 BGP

You can check the full Default Route Preference Values are on the Juniper Website here

Routing Instances

Routing instances (VRFs on cisco) are a way of dividing your switch, firewall or router, to allow the device to have multiple independent Routing Tables within the single device. Each routing-instance will need to have its physical (or logical) interface(s) and its instance-type defined. As you can see below when you have routing-instance configured you will have the each routing-instance has its own routing-table and they are shown as instance-name.inet.0. It important to note, that all configuration for the routing-instance will need to be done under the routing-instance stanza. This is shown on “Routing-Instance Configuration” tab

Instance TypesRouting-Instance ConfigGlobal Routing TableRouting-Instance TrustRouting-Instance Untrust
[email protected]_SRX# set routing-instances untrust instance-type ?
Possible completions:
  forwarding           Forwarding instance
  l2backhaul-vpn       L2Backhaul/L2Wholesale routing instance
  l2vpn                Layer 2 VPN routing instance
  layer2-control       Layer 2 control protocols
  mpls-internet-multicast  Internet Multicast over MPLS routing instance
  no-forwarding        Nonforwarding instance
  virtual-router       Virtual routing instance
  virtual-switch       Virtual switch routing instance
  vpls                 VPLS routing instance
  vrf                  Virtual routing forwarding instance
{master:0}
root> show configuration routing-instances 
trust {
    instance-type virtual-router;
    interface vlan.20;
    routing-options {
        static {
            route 172.16.0.0/24 next-hop 192.168.0.1;
        }
    }
}
untrust {
    instance-type virtual-router;
    interface vlan.10;
    routing-options {
        static {
            route 192.168.0.0/24 next-hop 172.16.0.1;
        }
    }
}
root> show route 

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.1.0.0/24        *[Direct/0] 2w6d 04:28:28
                    > via me0.0
10.1.0.200/32      *[Local/0] 2w6d 04:28:28
                      Local via me0.0
224.0.0.22/32      *[IGMP/0] 2w6d 04:28:29
                      MultiRecv
trust.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.0.0/24      *[Static/5] 2w2d 01:20:57
                    > to 192.168.0.1 via vlan.20
192.168.0.0/24     *[Direct/0] 2w2d 01:20:57
                    > via vlan.20
192.168.0.2/32     *[Local/0] 2w4d 01:10:24
                      Local via vlan.20
untrust.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.0.0/24      *[Direct/0] 2w2d 01:26:30
                    > via vlan.10
172.16.0.2/32      *[Local/0] 2w4d 01:10:24
                      Local via vlan.10
192.168.0.0/24     *[Static/5] 2w2d 01:26:30
                    > to 172.16.0.1 via vlan.10

Static Routing

As the name suggests static routing is a route that has been created manually and doesn’t change, unless it’s manually updated. When creating a static route, knowing the next-hop information is key as you are saying I want this IP address/range to go next. For my example below, I have created a static default route on this device. I have used the “no-readvertise” option, so that this route IS NOT readvertised into the routing-table and NOT routable

[email protected]_SRX# show routing-options 
static {
    route 0.0.0.0/0 {
        next-hop 10.1.0.1;
        no-readvertise;
    }
}

When creating static route, there’s a number of different options that are available:

[email protected]_SRX# set routing-options static route 172.31.100.1 ?
Possible completions:
  active               Remove inactive route from forwarding table
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> as-path              Autonomous system path
  backup-pe-group      Multicast source redundancy group
> bfd-liveness-detection  Bidirectional Forwarding Detection (BFD) options
> color                Color (preference) value
> color2               Color (preference) value 2
+ community            BGP community identifier
  discard              Drop packets to destination; send no ICMP unreachables
  install              Install route into forwarding table
> lsp-next-hop         LSP next hop
> metric               Metric value
> metric2              Metric value 2
> metric3              Metric value 3
> metric4              Metric value 4
+ next-hop             Next hop to destination
  next-table           Next hop to another table
  no-install           Don't install route into forwarding table
  no-readvertise       Don't mark route as eligible to be readvertised
  no-resolve           Don't allow resolution of indirectly connected next hops
  no-retain            Don't always keep route in forwarding table
> p2mp-lsp-next-hop    Point-to-multipoint LSP next hop
  passive              Retain inactive route in forwarding table
> preference           Preference value
> preference2          Preference value 2
> qualified-next-hop   Next hop with qualifiers
  readvertise          Mark route as eligible to be readvertised
  receive              Install a receive route for the destination
  reject               Drop packets to destination; send ICMP unreachables
  resolve              Allow resolution of indirectly connected next hops
  retain               Always keep route in forwarding table
> static-lsp-next-hop  Static LSP next hop
> tag                  Tag string
> tag2                 Tag string 2

The key ones to look into for the JNCIA level would:

next-hop: This is set the next-hop address for the subnet to use to leave the local device
qualified-next-hop: This is a secondary next-hop address (Known as a floating IP address). If the first next-hop address is unavailable, the router will use that qualified next-hop address. In addition, you are able to set the route preference for the qualified-next-hop manually
discard: This will silently drop packets, providing no reply
reject: This will drop packets and provide an ICMP reply
no-readvertise

Only using static routing in a network is a lot of manual work and you will have to do this for every device on your network and trying to maintain this would be a ridiculous and is un-scalable. This leads into why the need for Dynamic Routing Protocols in a network is important in conjunction with static routes.

Dynamic Routing Protocols

When talking about dynamic routing, we can break it down into 2 categories Internal Gateway Protocols and External Gateway Protocols.

Internal Gateway Protocols

Internal Gateway Protocols (IGPs) is a type of protocol used for exchanging routing information between gateways within an Autonomous System. With IGPs there two types protocols; Distance-vector routing protocol and Link-state routing protocol

Distance-vector routing protocol each router does not possess information about the full network topology. It advertises its distance value (DV) calculated to other routers and receives similar advertisements from other routers unless changes are done in local network or by neighbours (routers). Using these routing advertisements each router populates its routing table. In the next advertisement cycle, a router advertises updated information from its routing table. This process continues until the routing tables of each router converge to stable values.

Distance Vector Protocols include:

Routing Information Protocol (RIP)
Routing Information Protocol Version 2 (RIPv2)
Routing Information Protocol Next Generation (RIPng), an extension of RIP version 2 with support for IPv6
Interior Gateway Routing Protocol (IGRP)

Whereas, Link-state routing protocols, each router possesses information about the complete network topology. Each router then independently calculates the best next hop from it for every possible destination in the network using local information of the topology. The collection of best-next-hops forms the routing table.

This contrasts with distance-vector routing protocols, which work by having each node share its routing table with its neighbours. In a link-state protocol, the only information passed between the nodes is information used to construct the connectivity maps.

Link-state routing protocols include:

Open Shortest Path First (OSPF)
Intermediate system to intermediate system (IS-IS)
External Gateway Protocols

External Gateway Protocols (EGPs) is a routing protocol used to exchange routing information between autonomous systems. This exchange is crucial for communications across the Internet. Notable exterior gateway protocols include Exterior Gateway Protocol and Border Gateway Protocol.

Share this:
Share

JNCIA Refresher #2 – Junos OS Fundamentals

Junos device portfolio – product families, general functionality
Software architecture and Protocol daemons
Control and Forwarding planes
Routing Engine and Packet Forwarding Engine
Transit and Exception traffic

Junos device portfolio – product families, general functionality

Juniper has a number of the products that span across a number of different environments now. In the most part you are able to categories the devices into a four networking areas. These areas are: Enterprise, Service Provider, Data Centre and Security. Of course you will be able to put whatever device into your network as you wish, but you will have devices that would be more effective and efficient in a particular environment compared to overs. The tabs show the different model Series that Juniper provide (descriptions are taken from the Juniper product pages)

M SeriesT SeriesMX SeriesEX SeriesQFX SeriesSRX Series
M Series is a Multiservice Edge Router, on the edge of your network connecting to the external peers and transit providers. These would seen in Service Providers or Medium to Large Enterprise networks. M Series can provide up to 320Gbps of throughput.

Model Juniper’s Description
M7i M7i Multiservice Edge Router is compact with 10 Gbps throughput.
M10i M10i Multiservice Edge Router is compact and fully redundant with 16 Gbps throughput.
M120 M120 Multiservice Edge Router is highly redundant with 120 Gbps throughput.
M320 M320 Multiservice Edge Router is a 320 Gbps high-performance routing platform.
T series provides from 320Gbps up to 1.6Tbps of throughput on a single chassis and up to 25Tbps in a multi-chassis configuration. These routers would be used within an IP/MPLS Core Service Provider or Large Enterprise networks.

Model Juniper’s Description
T640 T640 Core Router delivers 50 Gbps forwarding on each of its 8 slots, and is ideal for powering small core applications.
T1600 T1600 Core Router offers scalable, high-performance, core routing in a small package.
T4000 T4000 Core Router delivers 4 Tbps of traffic in a single half rack routing node.
MX Series allows the flexibility between have router that has a throughput of 80Tbps with the switching capabilities. The MX Series can be used as both an Edge/Core device in Service Provider/Enterprise environment and has the stability through interchangeable line cards and software licensing.

Model Juniper’s Description
MX5 The MX5 is a compact 20 Gbps upgradeable router for enterprise applications, space/power constrained service provider facilities and CPEs.
MX10 The MX10 is a compact 40 Gbps router ideal for enterprise applications and space/power-constrained service provider facilities.
MX40 The MX40 is a compact 60 Gbps router ideal for enterprise applications and space/power-constrained service provider facilities.
MX80 The MX80 is a compact 80 Gbps router ideal for enterprise applications and space/power constrained service provider facilities.
MX104 The 80 Gbps MX104 offers control plane redundancy and is optimized for Ethernet aggregation and enterprise applications.
MX240 The modular MX240 offers almost 2 Tbps of system capacity for cloud, campus and enterprise data center, service provider edge, and mobile service core deployments.
MX480 The modular MX480 delivers over 5 Tbps of system capacity for cloud, campus and enterprise data center, service provider edge, and mobile service core deployments.
MX960 The modular MX960 delivers over 10 Tbps of system capacity for cloud and large enterprise data center, service provider edge, and mobile service core deployments.
MX2010 The modular MX2010 offers over 17 Tbps of system capacity to help service providers scale long-term for broadband traffic, subscribers, and services.
MX2020 The modular MX2020 is the industry’s highest-capacity, single-chassis edge router, supporting 10/100 Gbps interfaces and scaling up to 80 Tbps.
EX Series is a Layer 2/3 switch largely (not exclusively) used in Enterprise Networks. These switches can be used within a Virtual Chassis configuration, to provide Aggregation Layer, High Availability and Port Capacity.

Model Juniper’s Description
2200 EX2200 switches are low power, low acoustic 1 U devices, offering an economical solution for branch offices and campus networks.
3200 The EX3300 is a compact switch for demanding converged enterprise access.
4200 The EX4200 is a flexible, stackable switching solution for data centers and campuses.
4300 The EX4300 supports branch, campus, and data center access and aggregation deployments.
4500/4550 The EX4500 and EX4550 are a compact, high-performance platform for data center, campus, and service provider deployments.
4600 The EX4600 delivers a scalable 10GbE solution for high-density campus and data center top-of-rack deployments.
6200 The EX6200 is a scalable, resilient, high-performance wiring closet solution.
8200 The EX8200 provides the port densities, scalability, and high availability required for today’s data center and campus core environments.
9200 The EX9200 is SDN-ready and offers the flexibility and scalability required for business agility and growth.
QFX Series are switches that are fairly new product from Juniper. These switches are used in Data Centre environment.

Model Juniper’s Description
QFX3500 The QFX3500 Switch is a high-performance, low-latency, feature-rich 10GbE Layer 2 and Layer 3 switch designed and optimized for virtualized data centers.
QFX3600 The QFX3600 Switch is a 40GbE, high-performance, Layer 2 and Layer 3 switch designed and optimized for virtualized data centers
QFX5100 The QFX5100 Switches are low-latency, high-performance 10GbE/40GbE switches that act as a flexible building block for multiple data center fabric architectures.
QFX10000 The QFX10000 Switches are highly scalable, high-density platforms that support a variety of 10GbE/40GbE/100GbE deployments, providing a robust foundation for the most demanding data centers.
SRX Series are Juniper Security Gateways/Firewall devices that will be used to protect your network. These can use be as an Edge Gateway in a number of different environments from Service Provider/Enterprise or Data Centre.

Model Juniper’s Description
100 SRX100 Services Gateway provides high-performance security for small business and distributed enterprise locations.
110 SRX110 consolidates security, routing, switching, and WAN connectivity in a small desktop device, and is ideal for securing small businesses and branch deployments.
210 SRX210 provides robust, enterprise-class security for small distributed enterprise locations.
220 SRX220 provides robust, enterprise-class security for small to midsize businesses and distributed enterprise locations.
240 SRX240 provides robust, enterprise-class security for branch distributed enterprise locations.
550 SRX550 provides robust, enterprise-class security for medium and large branch locations.
650 SRX650 provides robust, enterprise-class security for regional sites and large branch locations
1400 SRX1400 is ideal for securing small to midsize data center environments.
3400 SRX3400 is ideal for securing small and midsize server farms and hosting sites.
3600 SRX3600 is ideal for securing medium to large enterprise data centers, hosted or colocated data centers, and server farms.
5400 SRX5400 is ideal for securing service provider, large enterprise, and public sector networks.
5600 SRX5600 is ideal for securing large enterprise data centers or service provider infrastructures, and aggregating security services.
5800 SRX5800 is ideal for securing large enterprise data centers, hosted or colocated data centers, and service provider infrastructures.

Software architecture and Protocol daemons

Junos unlike other vendors is Unix based system, its underlying operating system is based on the Unix Open Source system FreeBSD. By using an open source approached for the OS, it has allowed Junos to be easily adaptable across the multiple platforms that Juniper offer. The Unix based OS allows Junos to be modular design, where the different modules have their own separate process with it own dedicated memory space. This is important, because if you have an issue with one module, it is not going to break the whole device, as the module has its own separate memory space. You would be able to see the processes being run on device, you would be able run the command show system processes | match /usr/sbin

System Processes and Daemons
[email protected]_SRX> show system processes | match /usr/sbin 
 1257  ??  S      0:00.06 /usr/sbin/tnetd -N
 1259  ??  S     13:15.04 /usr/sbin/chassisd -N
 1260  ??  S     33:39.68 /usr/sbin/alarmd -N
 1261  ??  S      1:53.77 /usr/sbin/craftd -N
 1262  ??  S      0:21.39 /usr/sbin/mgd -N
 1263  ??  S     27:16.26 /usr/sbin/snmpd -N
 1264  ??  S     73:26.45 /usr/sbin/mib2d -N
 1265  ??  S     32:50.53 /usr/sbin/rpd -N
 1266  ??  S     73:08.18 /usr/sbin/l2ald -N
 1267  ??  S      0:00.18 /usr/sbin/inetd -N -w
 1268  ??  S     32:51.30 /usr/sbin/pfed -N
 1269  ??  S      1:45.65 /usr/sbin/cosd
 1270  ??  S     12:34.69 /usr/sbin/kmd -N
 1271  ??  S     15:28.64 /usr/sbin/ppmd -N
 1272  ??  S      0:17.35 /usr/sbin/dfwd -N
 1273  ??  S      7:54.62 /usr/sbin/irsd -N
 1274  ??  S      2:48.90 /usr/sbin/bfdd -N
 1275  ??  S    39659:13.10 /usr/sbin/flowd_octeon_hm
 1277  ??  S      0:00.33 /usr/sbin/pppd -N
 1279  ??  S      0:35.75 /usr/sbin/mplsoamd -N
 1280  ??  S      0:00.25 /usr/sbin/sendd -N
 1281  ??  S      0:00.46 /usr/sbin/wwand -N
 1282  ??  S      3:42.82 /usr/sbin/smid -N
 1283  ??  S      0:00.17 /usr/sbin/relayd -N
 1284  ??  S     55:48.49 /usr/sbin/shm-rtsdbd -N
 1285  ??  S      1:47.37 /usr/sbin/jsrpd -N
 1286  ??  S      2:41.78 /usr/sbin/nsd -N
 1287  ??  S      5:50.36 /usr/sbin/pkid -N
 1288  ??  S      0:00.56 /usr/sbin/appidd -N
 1289  ??  S      3:08.13 /usr/sbin/idpd -N
 1290  ??  S      8:46.55 /usr/sbin/rtlogd -N
 1291  ??  S     38:49.97 /usr/sbin/utmd -N
 1292  ??  S      0:25.08 /usr/sbin/smtpd -N
 1293  ??  S      8:57.92 /usr/sbin/wland -N
 1294  ??  S      8:19.53 /usr/sbin/mcsnoopd -N
 1295  ??  S    110:37.19 /usr/sbin/license-check -U -M -p 10 -i 10
 1296  ??  S      0:00.39 /usr/sbin/sdxd -N
17173  ??  S      7:35.50 /usr/sbin/lldpd -N
  923  u0- S      0:06.23 /usr/sbin/usbd -N
  942  u0- S      0:18.52 /usr/sbin/eventd -N -r -s -A

Control and Forwarding planes

All the functions of the control plane run on the Routing Engine (RE) whether you have a router, switch, or security platform running Junos. The Control plane has a set of modules, with clean interfaces between them. This interface can be different between device models, but largely will be fxp1 or bme0. You can check by running show interface terse. In addition, the kernel has control modules that manage all the needed communication between the components. The kernel handles the RE link between itself and the Packet Forwarding Engine (PFE) and the services. Each of the different modules provides a different control process, such as control for the chassis, Ethernet switching, routing protocols, interfaces, management etc. As stated earlier Junos uses a Unix based kernal from FreeBSD, by using this open-source untying kernal, it can provides many of the essential functions of an operating system, such as the scheduling of resources. Junos to protect the control plane from a security attack, by rate-limit the traffic that reaches your RE and allowing firewall filters to be placed onto the management interfaces

The Packet Forwarding Engine (PFE) is the central processing element of the forwarding plane, systematically moving the packets in and out of the device. In the Junos OS, the PFE has a locally stored forwarding table. The forwarding table is a synchronized copy of all the information from the RE that the forwarding plane needs to handle each packet, including outgoing interfaces, addresses, and so on. Storing a local copy of this information allows the PFE to get its job done without going to the control plane every time that it needs to process a packet. Another benefit to having a local copy is that the PFE can continue forwarding packets, even when a disruption occurs to the control plane, such as when a routing or other process issue happens.

 

Routing Engine and Packet Forwarding Engine

The Packet Forwarding Engine uses application-specific integrated circuits (ASICs) chips, to perform Layer 2 and Layer 3 packet switching, route lookups, and packet forwarding. The Packet Forwarding Engine forwards packets between input and output interfaces.

The Routing Engine controls the routing updates and system management. The Routing Engine consists of routing protocol software processes running inside a protected memory environment on a general-purpose computer platform. The Routing Engine handles all the routing protocol processes and other software processes that control the routing platform’s interfaces, some of the chassis components, system management, and user access to the routing platform. These routing platform and software processes run on top of a kernel that interacts with the Packet Forwarding Engine.

The key functions of the Routing Engine are:

  • Routing protocol packets processing
  • Software modularity—Software functions have been divided into separate processes, so a failure of one process has little or no effect on other software processes.
  • In-depth IP functionality- Each routing protocol is implemented with a complete set of IP features and provides full flexibility for advertising, filtering, and modifying routes. Routing policies are set according to route parameters, such as prefix, prefix lengths, and Border Gateway Protocol (BGP) attributes
  • Management interfaces—System management is possible with a command-line interface (CLI), a craft interface, and Simple Network Management Protocol (SNMP).
  • Storage and change management
  • Monitoring efficiency and flexibility—Alarms can be generated and packets can be counted without adversely affecting packet forwarding performance.
  • Transit and Exception traffic

    Transit Transit is traffic that is sent by an user which isn’t destined for the router, switch or gateway, but the packets have to pass through the device to get its end destination. For example:

    PC1 ---> Switch --> Router --> Internet

    If the PC on the left wanted to get the Internet on the right, the packets would transit the network to get out to the Internet. Transit Traffic is mostly unicast and/or multicast packets. Most of the time, Transit traffic will be largely processed by the PFE as the Forwarding Table will be referenced, to allow quicker movement of traffic. It is important to note, Transit Traffic does not consult the Routing Engine.

    Exception Traffic is traffic that is destined for the local system. For example if you wanted to check if the router up, you would ping its loopback address. This would be regarded as Exception Traffic, as packets destined for a device requires additional processing by the Routing Engine.

    Share this:
    Share

    JNCIA Refresher #1 – User Interface

    Decided to get my act in gear and get started with my journey on becoming a JNCIE engineer, I’ve worked with Junos for a couple years now (using it properly over last 12 months!), I would like to think I know a few bits about it, but when it comes to exams its always good to go over the “basics”

    Before getting into it, I’ve taken a look on the Juniper JNCIA Track page to check the topics that exam takers will be expected to know:

    Networking Fundamentals
    Junos OS Fundamentals
    User Interfaces
    Junos Configuration Basics
    Operational Monitoring and Maintenance
    Routing Fundamentals
    Routing Policy and Firewall Filters

    Having a quick look over these topics, although they are pretty straightforward for me, I always been told, never time to little of a problem! With this in mind, ill be making series a posts to refresh myself in the basic understanding of Junos and Juniper devices. Although I use Junos everyday at work, I’ve said to myself doing a bit of studying will be usefu1 as:

    1. I may learn something new
    2. I’ll (definitely) remember something I’ve forgotten
    3. Most importantly, how things work in the real world and how things are in an exam are COMPLETELY different, so exam techniques are always needed!

    As I was going through the different topics, there were a few things I just looked over, as I was confident enough with! So i wont be going over thing in these posts

    With that being said, let begin 😀

    User Interface

    CLI modes and navigation

    With Junos, there are 3 different levels of access available. The prompt signs show these:

    [email protected]_SRX% <------- the % prompt shows that we are on the Unix kernal level. As Junos is a based on FreeBSD the overall archietecture is Linux based, so you will be able to do a number of linux commands. You can into this Unix kernal level either by logging into your device as root or if you are in Operational mode, you will need to use the command start shell [email protected]_SRX> <------- the > prompt shows that we are on the Operational level. This is where we will be able checks (via show commands), troubleshoot and make system requests. You will enter this mode automatically if you are logged in with a created user. If you are log in as root, to get Operation mode from kernal level, you will need to run the command cli

    Operational Mode Commands
    Most used commands from this level would be:

    [email protected]_SRX> ?      
    Possible completions:
      clear                Clear information in the system
      configure            Manipulate software configuration information
      file                 Perform file operations
      help                 Provide help information
      load                 Load information from file
      monitor              Show real-time debugging information
      mtrace               Trace multicast path from source to receiver
      op                   Invoke an operation script
      ping                 Ping remote target
      quit                 Exit the management session
      request              Make system-level requests
      restart              Restart software process
      save                 Save information to file
      set                  Set CLI properties, date/time, craft interface message
      show                 Show system information
      ssh                  Start secure shell on another host
      start                Start shell
      telnet               Telnet to another host
      test                 Perform diagnostic debugging
      traceroute           Trace route to remote host

    [email protected]_SRX# <------- the # prompt shows we are in configuration level. This is where we can make configure changes on the device. To get the configuration, you will need to be Operational mode and you will need to either run the command configure or edit [su_spoiler title="Configuration Mode Commands" style="fancy"]Most used commands from this level:

    [email protected]_SRX# ?
    Possible completions:
      <[Enter]>            Execute this command
      activate             Remove the inactive tag from a statement
      annotate             Annotate the statement with a comment
      commit               Commit current set of changes
      copy                 Copy a statement
      deactivate           Add the inactive tag to a statement
      delete               Delete a data element
      edit                 Edit a sub-element
      exit                 Exit from this level
      extension            Extension operations
      help                 Provide help information
      insert               Insert a new ordered data element
      load                 Load configuration from ASCII file
      prompt               Prompt for an input
      protect              Protect the statement
      quit                 Quit from this level
      rename               Rename a statement
      replace              Replace character string in configuration
      rollback             Roll back to previous committed configuration
      run                  Run an operational-mode command
      save                 Save configuration to ASCII file
      set                  Set a parameter
      show                 Show a parameter
      status               Show users currently editing configuration
      top                  Exit to top level of configuration
      unprotect            Unprotect the statement
      up                   Exit one level of configuration
      wildcard             Wildcard operations
    [/su_spoiler]

    Junos is organized in a hierarchy model. When we enter configuration mode we see that we are at the top of the edit hierarchy by the [edit]

    [edit]
    [email protected]_SRX#

    From here we are able to drill down into the different hierarchical levels and make changes that will affect that particular level. For an example, if we wanted to configure the interface ge-0/0/3 with the IP address 10.1.10.100/24. We have the ability to drill down the interface hierarchy to make the change, we will use the ‘edit’ command to change levels . It is important to know as well, the different hierarchical levels will have specific commands exclusive for that particular hierarchical level

    Top levelInterface levelPhysical Port level
    [email protected]_SRX# edit ?
    Possible completions:
    > access               Network access configuration
    > access-profile       Access profile for this instance
    > accounting-options   Accounting data configuration
    > applications         Define applications by protocol characteristics
    > bridge-domains       Bridge domain configuration
    > chassis              Chassis configuration
    > class-of-service     Class-of-service configuration
    > ethernet-switching-options  Ethernet-switching configuration options
    > event-options        Event processing configuration
    > firewall             Define a firewall configuration
    > forwarding-options   Configure options to control packet forwarding
    > groups               Configuration groups
    > interfaces           Interface configuration
    > multi-chassis        
    > policy-options       Policy option configuration
    > protocols            Routing protocol configuration
    > routing-instances    Routing instance configuration
    > routing-options      Protocol-independent routing option configuration
    > schedulers           Security scheduler
    > security             Security configuration
    > services             Set services parameters
    > smtp                 Simple Mail Transfer Protocol service configuration
    > snmp                 Simple Network Management Protocol configuration
    > switch-options       Options for default routing-instance of type virtual-switch
    > system               System parameters
    > vlans                VLAN configuration
    > wlan                 Wireless access point configuration
    [edit interfaces]
    [email protected]_SRX# set ?
    Possible completions:
           Interface name
    + apply-groups         Groups from which to inherit configuration data
    + apply-groups-except  Don't inherit configuration data from these groups
      ge-0/0/0             Interface name
      ge-0/0/3             Test
      ge-0/0/6             Interface name
    > interface-range      Interface ranges configuration
    > interface-set        Logical interface set configuration
    > traceoptions         Interface trace options
    [edit interfaces ge-0/0/3]
    [email protected]_SRX# set ?
    Possible completions:
      accounting-profile   Accounting profile name
    + apply-groups         Groups from which to inherit configuration data
    + apply-groups-except  Don't inherit configuration data from these groups
      description          Text description of interface
      disable              Disable this interface
      encapsulation        Physical link-layer encapsulation
      flexible-vlan-tagging  Support for no tagging, or single and double 802.1q VLAN tagging
    > gigether-options     Gigabit Ethernet interface-specific options
      gratuitous-arp-reply  Enable gratuitous ARP reply
    > hold-time            Hold time for link up and link down
      link-mode            Link operational mode
      mac                  Hardware MAC address
      mtu                  Maximum transmit packet size (256..9192)
      native-vlan-id       Virtual LAN identifier for untagged frames (0..4094)
      no-gratuitous-arp-reply  Don't enable gratuitous ARP reply
      no-gratuitous-arp-request  Ignore gratuitous ARP request
      no-per-unit-scheduler  Don't enable subunit queuing on Frame Relay or VLAN IQ interface
      no-traps             Don't enable SNMP notifications on state changes
      passive-monitor-mode  Use interface to tap packets from another router
      per-unit-scheduler   Enable subunit queuing on Frame Relay or VLAN IQ interface
      promiscuous-mode     Enable promiscuous mode for L3 interface
      speed                Link speed
      stacked-vlan-tagging  Stacked 802.1q VLAN tagging support
    > switch-options       Front end ports configuration
    > traceoptions         Interface trace options
      traps                Enable SNMP notifications on state changes
    > unit                 Logical interface
      vlan-tagging         802.1q VLAN tagging support
    With hierarchical levels you have the option of either drilling down to the bottom of the hierarchy to make change or you can 'set' the full command from the top or any hierarchical level.
    Command SET within interface hierarchy levelCommand SET from top level
    [edit interfaces ge-0/0/3]
    [email protected]_SRX# set unit 0 family inet address 10.1.100.100/24
    [edit]
    [email protected]_SRX# set interface ge-0/0/3 unit 0 family inet address 10.1.100.100/24
    Hierarchy Commands

    edit = Moves you down to the level you need
    up = Moves you one level up from the current hierarchical level
    top = Moves you to the top of the configuration hierarchy

    CLI Help

    One very useful (that I just learnt myself!) is the help command. This command shows you the inbuilt documentation that is on all juniper devices. The command that will be most likely used the reference, apropos and topic.

    [email protected]_SRX# help ?   
    Possible completions:
      <[Enter]>            Execute this command
      apropos              Find help information about a topic
      reference            Reference material
      syslog               System log error messages
      tip                  Tip for the day
      topic                Help for high level topics
      |                    Pipe through a command

    The topic option will give you detail, description and context about particular topic on the device

    Help Topic Example
    [email protected]_SRX# help topic interfaces address   
                           Configuring the Interface Address
    
       You assign an address to an interface by specifying the address when
       configuring the protocol family. For the inet or inet6 family, configure
       the interface IP address. For the iso family, configure one or more
       addresses for the loopback interface. For the ccc, ethernet-switching,
       tcc, mpls, tnp, and vpls families, you never configure an address.
    
       +------------------------------------------------------------------------+
       |       | The point-to-point (PPP) address is taken from the loopback    |
       | Note: | interface address that has the primary attribute. When the     |
       |       | loopback interface is configured as an unnumbered interface,   |
       |       | it takes the primary address from the donor interface.         |
       +------------------------------------------------------------------------+
    
       To assign an address to an interface, include the address statement:
         address address {
             broadcast address;
             destination address;
             destination-profile name;
             eui-64;
             preferred;
             primary;
         }
       You can include these statements at the following hierarchy levels:
         * [edit interfaces interface-name unit logical-unit-number family
           family]
         * [edit logical-systems logical-system-name interfaces interface-name
           unit logical-unit-number family family]
       In the address statement, specify the network address of the interface.
       For each address, you can optionally configure one or more of the
       following:
         * Broadcast address for the interface subnet-Specify this in the
           broadcast statement; this applies only to Ethernet interfaces, such as
           the management interface fxp0, em0, or me0 the Fast Ethernet
           interface, and the Gigabit Ethernet interface.
         * Address of the remote side of the connection (for point-to-point
           interfaces only)-Specify this in the destination statement.
         * PPP properties to the remote end-Specify this in the
           destination-profile statement. You define the profile at the [edit
           access group-profile name ppp] hierarchy level (for point-to-point
           interfaces only).
         * Whether the router or switch automatically generates the host number
           portion of interface addresses-The eui-64 statement applies only to
           interfaces that carry IPv6 traffic, in which the prefix length of the
           address is 64 bits or less, and the low-order 64 bits of the address
           are zero. This option does not apply to the loopback interface (lo0)
           because IPv6 addresses configured on the loopback interface must have
           a 128-bit prefix length.
    
           +-------------------------------------------------------------+
           | Note: | IPv6 is not currently supported for the QFX Series. |
           +-------------------------------------------------------------+
    
         * Whether this address is the preferred address-Each subnet on an
           interface has a preferred local address. If you configure more than
           one address on the same subnet, the preferred local address is chosen
           by default as the source address when you originate packets to
           destinations on the subnet.
    
           By default, the preferred address is the lowest-numbered address on
           the subnet. To override the default and explicitly configure the
           preferred address, include the preferred statement when configuring
           the address.
                                            
         * Whether this address is the primary address-Each interface has a
           primary local address. If an interface has more than one address, the
           primary local address is used by default as the source address when
           you send packets from an interface where the destination provides no
           information about the subnet (for example, some ping commands).
       By default, the primary address on an interface is the lowest-numbered
       non-127 (in other words, non-loopback) preferred address on the interface.
       To override the default and explicitly configure the preferred address,
       include the primary statement when configuring the address.
         * Configuring Interface IPv4 Addresses
         * Configuring Interface IPv6 Addresses
    
      Related-Topics
    
            * Configuring IPCP Options
            * Configuring Default, Primary, and Preferred Addresses and
              Interfaces

    The Reference option is command structure, it is a type of configuration assistances. As it provides all the possible configuration syntax that’s available for that topic

    Help Reference Example
    [email protected]_SRX# help reference interfaces address 
    address
    
      Syntax
    
         address address {
             arp ip-address (mac | multicast-mac) mac-address ;
             broadcast address;
             destination address;
             destination-profile name;
             eui-64;
             master-only;
             multipoint-destination address dlci dlci-identifier;
             multipoint-destination address {
                 epd-threshold cells;
                 inverse-arp;
                 oam-liveness {
                     up-count cells;
                     down-count cells;
                 }
                 oam-period (disable | seconds);
                 shaping {
                     (cbr rate | rtvbr peak rate sustained rate burst length |
         vbr peak rate sustained rate burst length);
                     queue-length number;
                 }
                 vci vpi-identifier.vci-identifier;
             }
             primary;
             preferred;
             (vrrp-group | vrrp-inet6-group) group-number {
                 (accept-data | no-accept-data);
                 advertise-interval seconds;
                 authentication-type authentication;
                 authentication-key key;
                 fast-interval milliseconds;
                 (preempt | no-preempt) {
                     hold-time seconds;
                 }
                 priority-number number;
                 track {
                     priority-cost seconds;
                     priority-hold-time interface-name {
                         interface priority;
                         bandwidth-threshold bits-per-second {
                             priority;
                         }
                     }
                     route ip-address/mask routing-instance instance-name
         priority-cost cost;
                 }
                 virtual-address [ addresses ];
             }
         }
    
      Hierarchy Level
    
         [edit interfaces interface-name unit logical-unit-number family family],
         [edit logical-systems logical-system-name interfaces interface-name unit
         logical-unit-number family family]
    
      Release Information
    
         Statement introduced before Junos OS Release 7.4.
         Statement introduced in Junos OS Release 9.0 for EX Series switches.
         Statement introduced in Junos OS Release 11.1 for QFX Series switches.
    
      Description
    
         Configure the interface address.
    
         +----------------------------------------------------------------------+
         | Note: | The vrrp High Availability functionality is not available    |
         |       | for the QFX Series switches                                  |
         +----------------------------------------------------------------------+
    
      Options
    
         address-Address of the interface.
    
         The remaining statements are explained separately.
    
         +----------------------------------------------------------------------+
         | Note: | The edit logical-systems hierarchy is not available on       |
         |       | QFabric switches.                                            |
         +----------------------------------------------------------------------+
    
      Required Privilege Level
    
         interface-To view this statement in the configuration.
         interface-control-To add this statement to the configuration.
    
      Related-Topics
    
            * Configuring the Protocol Family
            * negotiate-address
            * unnumbered-address (Ethernet)
            * Junos OS System Basics Configuration Guide

    The Apropos option gives you all the commands that have particular word you are looking for. This will include clear, show and help commands if in Operational Mode and the set commands if you're in Configuration Mode.

    Help Apropos Example
    [email protected]_SRX# help apropos lldp  
    set logical-systems  protocols lldp 
        Link Layer Detection Protocol
    set logical-systems  protocols lldp disable 
        Disable LLDP
    set logical-systems  protocols lldp traceoptions 
        Trace options for LLDP
    set logical-systems  protocols lldp management-address  
        LLDP management address
    set logical-systems  protocols lldp advertisement-interval  
        Transmit interval for LLDP messages
    set logical-systems  protocols lldp transmit-delay  
        Transmit delay time interval for LLDP messages
    set logical-systems  protocols lldp hold-multiplier  
        Hold timer interval for LLDP messages
    set logical-systems  protocols lldp lldp-configuration-notification-interval  
        Time interval for LLDP notification
    set logical-systems  protocols lldp interface disable 
        Disable LLDP
    set logical-systems  protocols lldp-med 
        LLDP Media Endpoint Discovery
    set logical-systems  protocols lldp-med disable 
        Disable LLDP
    set logical-systems  protocols lldp-med interface disable 
        Disable LLDP
    set logical-systems  protocols dot1x authenticator interface lldp-med-bypass 
        Bypass dot1x authentication, use lldp-med based authentication
    set protocols lldp 
        Link Layer Detection Protocol
    set protocols lldp disable 
        Disable LLDP
    set protocols lldp traceoptions 
        Trace options for LLDP
    set protocols lldp management-address  
        LLDP management address
    set protocols lldp advertisement-interval  
        Transmit interval for LLDP messages
    set protocols lldp transmit-delay  
        Transmit delay time interval for LLDP messages
    set protocols lldp hold-multiplier  
        Hold timer interval for LLDP messages
    set protocols lldp lldp-configuration-notification-interval  
        Time interval for LLDP notification
    set protocols lldp interface disable 
        Disable LLDP
    set protocols lldp-med 
        LLDP Media Endpoint Discovery
    set protocols lldp-med disable 
        Disable LLDP
    set protocols lldp-med interface disable 
        Disable LLDP
    set protocols dot1x authenticator interface lldp-med-bypass 
        Bypass dot1x authentication, use lldp-med based authentication
    set vlans  dot1q-tunneling layer2-protocol-tunneling lldp 
        Tunnel LLDP PDUs

    Keyboard shortcuts are useful to know as you will be able to get configure command quicker and have less time looking at the screen (which is always nice :D)

    Keyboard Commands
    ctrl + b = moves the cursor one to the left (backward)
    ctrl + f = moves the cursor one to the right (forward)
    ctrl + a = moves the cursor to the beginning of the line
    ctrl + e = moves the cursor to the end of the line
    ctrl + d = deletes the character that the cursor is on
    ctrl + w = deletes the word left of the cursor
    ctrl + k = deletes everything on the right of the cursor
    ctrl + u = deletes the whole line
    Share this:
    Share