Junos OS. Routing Protocols and Policies Configuration Guide for Security Devices. Release Published:

Transcription

1 Junos OS Routing Protocols and Policies Configuration Guide for Security Devices Release 11.4 Published:

2 Juniper Networks, Inc North Mathilda Avenue Sunnyvale, California USA This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright , Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain. This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto. This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, The Regents of the University of California. All rights reserved. GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton s EGP, UC Berkeley s routing daemon (routed), and DCN s HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright 1991, D. L. S. Associates. This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785. Junos OS Routing Protocols and Policies Configuration Guide for Security Devices Release 11.4 All rights reserved. Revision History November 2011 R1 Junos OS 11.4 The information in this document is current as of the date listed in the revision history. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year However, the NTP application is known to have some difficulty in the year SOFTWARE LICENSE The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to the extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks. By using this software, you indicate that you understand and agree to be bound by those terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the software and may contain prohibitions against certain uses. The software license may state conditions under which the license is automatically terminated. You should consult the license for further details. For complete product documentation, please see the Juniper Networks website at ii

3 END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at By downloading, installing or using such software, you agree to the terms and conditions of that EULA. iii

4 iv

5 Abbreviated Table of Contents About This Guide xv Part 1 Routing Protocols Chapter 1 Routing Overview Chapter 2 Routing Instances Chapter 3 Static Routing Chapter 4 RIP Chapter 5 OSPF Chapter 6 IS-IS Chapter 7 BGP Chapter 8 Multicast Part 2 Routing Policies and Stateless Firewall Filters Chapter 9 Routing Policies Chapter 10 Stateless Firewall Filters Part 3 Index Index v

6 Junos OS Routing Protocols and Policies Configuration Guide for Security Devices vi

7 Table of Contents About This Guide xv J Series and SRX Series Documentation and Release Notes xv Objectives xvi Audience xvi Supported Routing Platforms xvi Document Conventions xvi Documentation Feedback xviii Requesting Technical Support xviii Self-Help Online Tools and Resources xviii Opening a Case with JTAC xix Part 1 Routing Protocols Chapter 1 Routing Overview Routing Overview Networks and Subnetworks Autonomous Systems Interior and Exterior Gateway Protocols Routing Tables Forwarding Tables Dynamic and Static Routing Route Advertisements Route Aggregation Chapter 2 Routing Instances Routing Instances Overview Understanding Routing Instance Types Configuring Routing Instances Chapter 3 Static Routing Basic Static Routes Understanding Basic Static Routing Example: Configuring a Basic Set of Static Routes Static Route Selection Understanding Static Route Preferences and Qualified Next Hops Example: Controlling Static Route Selection Static Route Control in Routing and Forwarding Tables Understanding Static Route Control in Routing and Forwarding Tables Route Retention Readvertisement Prevention vii

8 Junos OS Routing Protocols and Policies Configuration Guide for Security Devices Forced Rejection of Passive Route Traffic Example: Controlling Static Routes in Routing and Forwarding Tables Default Static Route Behavior Understanding Static Routing Default Properties Example: Defining Default Behavior for All Static Routes Verifying the Static Route Configuration Chapter 4 RIP RIP Overview Distance-Vector Routing Protocols Maximizing Hop Count RIP Packets Split Horizon and Poison Reverse Efficiency Techniques Limitations of Unidirectional Connectivity RIPng Overview RIPng Protocol Overview RIPng Standards RIPng Packets RIP Configuration Overview Basic RIP Routing Understanding Basic RIP Routing Example: Configuring a Basic RIP Network RIP Traffic Control Through Metrics Understanding RIP Traffic Control with Metrics Example: Controlling Traffic with an Incoming Metric Example: Controlling Traffic with an Outgoing Metric RIP Authentication Understanding RIP Authentication Enabling Authentication with Plain-Text Passwords (CLI Procedure) Enabling Authentication with MD5 Authentication (CLI Procedure) Verifying a RIP Configuration Verifying the Exchange of RIP Messages Verifying the RIP-Enabled Interfaces Verifying Reachability of All Hosts in the RIP Network RIP Demand Circuits Overview RIP Demand Circuit Packets Timers Used by RIP Demand Circuits Example: Configuring RIP Demand Circuits Chapter 5 OSPF OSPF Overview OSPF Default Route Preference Values OSPF Routing Algorithm OSPF Three-Way Handshake viii

9 Table of Contents OSPF Version OSPF Configuration Overview OSPF Designated Routers OSPF Designated Router Overview Example: Configuring an OSPF Router Identifier Example: Controlling OSPF Designated Router Election OSPF Areas, Area Border Routers, and Backbone Areas Understanding OSPF Areas and Backbone Areas Example: Configuring a Single-Area OSPF Network Example: Configuring a Multiarea OSPF Network OSPF Stub Areas and Not-So-Stubby Areas Understanding OSPF Stub Areas, Totally Stubby Areas, and Not-So-Stubby Areas Example: Configuring OSPF Stub and Totally Stubby Areas Example: Configuring OSPF Not-So-Stubby Areas OSPF Authentication Understanding OSPFv2 Authentication Example: Configuring Simple Authentication for OSPFv2 Exchanges Example: Configuring MD5 Authentication for OSPFv2 Exchanges Example: Configuring a Transition of MD5 Keys on an OSPFv2 Interface Example: Configuring IPsec Authentication for an OSPF Interface OSPF Traffic Control Understanding OSPF Traffic Control Controlling the Cost of Individual OSPF Network Segments Dynamically Adjusting OSPF Interface Metrics Based on Bandwidth.. 96 Controlling OSPF Route Preferences Example: Controlling the Cost of Individual OSPF Network Segments Example: Controlling OSPF Route Preferences Verifying an OSPF Configuration Verifying OSPF-Enabled Interfaces Verifying OSPF Neighbors Verifying the Number of OSPF Routes Verifying Reachability of All Hosts in an OSPF Network Chapter 6 IS-IS IS-IS Overview IS-IS Areas System Identifier Mapping ISO Network Addresses IS-IS Path Selection Protocol Data Units IS-IS Hello PDU Link-State PDU Complete Sequence Number PDU Partial Sequence Number PDU Example: Configuring IS-IS IS-IS Designated Routers Understanding IS-IS Designated Routers Configuring Designated Router Election Priority for IS-IS ix

10 Junos OS Routing Protocols and Policies Configuration Guide for Security Devices Chapter 7 BGP Understanding BGP Autonomous Systems AS Paths and Attributes External and Internal BGP BGP Routes Overview BGP Messages Overview Open Messages Update Messages Keepalive Messages Notification Messages BGP Configuration Overview BGP Peering Sessions Understanding External BGP Peering Sessions Example: Configuring External BGP Point-to-Point Peer Sessions Example: Configuring Internal BGP Peer Sessions BGP Path Selections Understanding BGP Path Selection Example: Advertising Multiple Paths in BGP Understanding the Advertisement of Multiple Paths to a Single Destination in BGP Example: Ignoring the AS Path Attribute When Selecting the Best Path BGP Multiple Exit Discriminator Understanding the MED Attribute Example: Always Comparing MEDs BGP Route Reflectors Understanding BGP Route Reflectors Example: Configuring a Route Reflector BGP Confederations Understanding BGP Confederations Example: Configuring BGP Confederations Chapter 8 Multicast Multicast Overview Multicast Architecture Upstream and Downstream Interfaces Subnetwork Leaves and Branches Multicast IP Address Ranges Notation for Multicast Forwarding States Dense and Sparse Routing Modes Strategies for Preventing Routing Loops Reverse-Path Forwarding for Loop Prevention Shortest-Path Tree for Loop Prevention Administrative Scoping for Loop Prevention x

11 Table of Contents Multicast Protocol Building Blocks Multicast Configuration Overview SAP and SDP Multicast Session Announcements Understanding SAP and SDP Multicast Session Announcements Example: Configuring SAP and SDP to Listen for Session Announcements Multicast IGMP Understanding IGMP and Multicast Example: Configuring IGMP for Multicast IPv6 Multicast Flow IPv6 Multicast Flow Overview Multicast Listener Discovery (MLD) Overview Multicast PIM and Static RPs Understanding PIM and Static RPs Example: Configuring PIM Sparse Mode and RP Static IP Addresses PIM Register Messages Understanding PIM Register Messages Example: Rejecting Incoming PIM Register Messages on RP Routers Example: Stopping Outgoing PIM Register Messages on a Designated Router PIM RPF Routing Tables Understanding PIM RPF Routing Tables Example: Configuring a PIM RPF Routing Table Verifying a Multicast Configuration Verifying SAP and SDP Addresses and Ports Verifying the IGMP Version Verifying the PIM Mode and Interface Configuration Verifying the PIM RP Configuration Verifying the RPF Routing Table Configuration Part 2 Routing Policies and Stateless Firewall Filters Chapter 9 Routing Policies Routing Policies Overview Routing Policies Configuration Overview Routing Policies Understanding Routing Policies Example: Creating a Routing Policy Routing Policy Terms Understanding Routing Policy Terms Example: Creating a Routing Policy Term xi

12 Junos OS Routing Protocols and Policies Configuration Guide for Security Devices Routing Policy Match Conditions and Actions Understanding Routing Policy Match Conditions and Actions Match Conditions Actions Route-Based Match Conditions Understanding Route-Based Match Conditions Example: Rejecting Known Invalid Routes Example: Grouping Source and Destination Prefixes into a Forwarding Class Protocol-Based Match Conditions Understanding Protocol-Based Match Conditions Example: Injecting OSPF Routes into the BGP Routing Table Autonomous System Path-Based Actions Understanding Autonomous System Path-Based Actions Example: Configuring a Routing Policy to Prepend the AS Path Routing Policy Damping Parameters Understanding Damping Parameters Example: Configuring Damping Parameters Chapter 10 Stateless Firewall Filters Introduction to Stateless Firewall Filters Router Data Flow Overview Flow of Routing Information Flow of Data Packets Flow of Local Packets Interdependent Flows of Routing Information and Packets Stateless Firewall Filter Overview Packet Flow Control Stateless and Stateful Firewall Filters Purpose of Stateless Firewall Filters Standard Stateless Firewall Filter Overview Stateless Firewall Filter Types Standard Stateless Firewall Filters Service Filters Simple Filters Guidelines for Configuring Standard Firewall Filters Statement Hierarchy for Configuring Standard Firewall Filters Standard Firewall Filter Protocol Families Standard Firewall Filter Names and Options Standard Firewall Filter Terms Standard Firewall Filter Match Conditions Standard Firewall Filter Actions Guidelines for Applying Standard Firewall Filters Applying Standard Firewall Filters Overview Applying a Firewall Filter to a Router s Physical Interfaces Applying a Firewall Filter to the Router s Loopback Interface Applying a Firewall Filter to Multiple Interfaces Statement Hierarchy for Applying Standard Firewall Filters xii

13 Table of Contents Restrictions on Applying Standard Firewall Filters Number of Input and Output Filters Per Logical Interface MPLS and Layer 2 CCC Firewall Filters in Lists Layer 2 CCC Firewall Filters on MX Series Routers Protocol-Independent Firewall Filters on the Loopback Interface Stateless Firewall Filter Terms Stateless Firewall Filter Components Protocol Family Filter Type Terms Match Conditions Actions Standard Firewall Filter Match Conditions for IPv4 Traffic Standard Firewall Filter Match Conditions for IPv6 Traffic Firewall Filter Match Conditions Based on Bit-Field Values Match Conditions for Bit-Field Values Match Conditions for Common Bit-Field Values or Combinations Logical Operators for Bit-Field Values Matching on a Single Bit-Field Value or Text Alias Matching on Multiple Bit-Field Values or Text Aliases Matching on a Negated Bit-Field Value Matching on the Logical OR of Two Bit-Field Values Matching on the Logical AND of Two Bit-Field Values Grouping Bit-Field Match Conditions Firewall Filter Match Conditions Based on Numbers or Text Aliases Matching on a Single Numeric Value Matching on a Range of Numeric Values Matching on a Text Alias for a Numeric Value Matching on a List of Numeric Values or Text Aliases Firewall Filter Match Conditions Based on Address Fields Implied Match on the 0/0 except Address for Firewall Filter Match Conditions Based on Address Fields Matching an Address Field to a Subnet Mask or Prefix Matching an Address Field to an Excluded Value Matching Either IP Address Field to a Single Value Matching an Address Field to Noncontiguous Prefixes Matching an Address Field to a Prefix List Firewall Filter Match Conditions Based on Address Classes Source-Class Usage Destination-Class Usage Guidelines for Applying SCU or DCU Firewall Filters to Output Interfaces Standard Firewall Filter Terminating Actions Standard Firewall Filter Nonterminating Actions xiii

14 Junos OS Routing Protocols and Policies Configuration Guide for Security Devices Trusted Source and Flood Prevention Stateless Firewall Filters Understanding How to Use Standard Firewall Filters Using Standard Firewall Filters to Affect Local Packets Using Standard Firewall Filters to Affect Data Packets Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods Fragment Handling Stateless Firewall Filters Firewall Filters That Handle Fragmented Packets Overview Example: Configuring a Stateless Firewall Filter to Handle Fragments Example: Configuring a Filter to Match on IPv6 Flags Part 3 Index Index xiv

15 About This Guide This preface provides the following guidelines for using the Junos OS Routing Protocols and Policies Configuration Guide for Security Devices: J Series and SRX Series Documentation and Release Notes on page xv Objectives on page xvi Audience on page xvi Supported Routing Platforms on page xvi Document Conventions on page xvi Documentation Feedback on page xviii Requesting Technical Support on page xviii J Series and SRX Series Documentation and Release Notes For a list of related J Series documentation, see For a list of related SRX Series documentation, see If the information in the latest release notes differs from the information in the documentation, follow the Junos OS Release Notes. To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at Juniper Networks supports a technical book program to publish books by Juniper Networks engineers and subject matter experts with book publishers around the world. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration using the Junos operating system (Junos OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library, published in conjunction with O'Reilly Media, explores improving network security, reliability, and availability using Junos OS configuration techniques. All the books are for sale at technical bookstores and book outlets around the world. The current list can be viewed at xv

16 Junos OS Routing Protocols and Policies Configuration Guide for Security Devices Objectives This guide describes how to use and configure key security features on J Series Services Routers and SRX Series Services Gateways running Junos OS. It provides conceptual information, suggested workflows, and examples where applicable. Audience This manual is designed for anyone who installs, sets up, configures, monitors, or administers a J Series Services Router or an SRX Series Services Gateway running Junos OS. The manual is intended for the following audiences: Customers with technical knowledge of and experience with networks and network security, the Internet, and Internet routing protocols Network administrators who install, configure, and manage Internet routers Supported Routing Platforms Document Conventions This manual describes features supported on J Series Services Routers and SRX Series Services Gateways running Junos OS. Table 1: Notice Icons Table 1 on page xvi defines the notice icons used in this guide. Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser. Table 2 on page xvii defines the text and syntax conventions used in this guide. xvi

17 About This Guide Table 2: Text and Syntax Conventions Convention Description Examples Bold text like this Represents text that you type. To enter configuration mode, type the configure command: configure Fixed-width text like this Italic text like this Represents output that appears on the terminal screen. Introduces important new terms. Identifies book names. Identifies RFC and Internet draft titles. show chassis alarms No alarms currently active A policy term is a named structure that defines match conditions and actions. Junos OS System Basics Configuration Guide RFC 1997, BGP Communities Attribute Italic text like this Text like this Represents variables (options for which you substitute a value) in commands or configuration statements. Represents names of configuration statements, commands, files, and directories; interface names; configuration hierarchy levels; or labels on routing platform components. Configure the machine s domain name: [edit] root@# set system domain-name domain-name To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE. < > (angle brackets) Enclose optional keywords or variables. stub <default-metric metric>; (pipe symbol) Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. broadcast multicast (string1 string2 string3) # (pound sign) Indicates a comment specified on the same line as the configuration statement to which it applies. rsvp { # Required for dynamic MPLS only [ ] (square brackets) Enclose a variable for which you can substitute one or more values. community name members [ community-ids ] Indention and braces ( { ) ; (semicolon) Identify a level in the configuration hierarchy. Identifies a leaf statement at a configuration hierarchy level. [edit] routing-options { static { route default { nexthop address; retain; J-Web GUI Conventions xvii

18 Junos OS Routing Protocols and Policies Configuration Guide for Security Devices Table 2: Text and Syntax Conventions (continued) Convention Description Examples Bold text like this Represents J-Web graphical user interface (GUI) items you click or select. In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel. > (bold right angle bracket) Separates levels in a hierarchy of J-Web selections. In the configuration editor hierarchy, select Protocols>Ospf. Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to techpubs-comments@juniper.net, or fill out the documentation feedback form at If you are using , be sure to include the following information with your comments: Document or topic name URL or page number Software release version (if applicable) Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC. JTAC policies For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at Product warranties For product warranty information, visit JTAC Hours of Operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: Find product documentation: xviii

19 About This Guide Find solutions and answer questions using our Knowledge Base: Download the latest versions of software and review release notes: Search technical bulletins for relevant hardware and software notifications: Join and participate in the Juniper Networks Community Forum: Open a case online in the CSC Case Management tool: To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. Use the Case Management tool in the CSC at Call JTAC ( toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, visit us at xix

20 Junos OS Routing Protocols and Policies Configuration Guide for Security Devices xx