Operating Juniper Networks Routers in the Enterprise Chapter

Operating Juniper Networks Routers in the Enterprise Chapter 8: Miscellaneous Features 4 -1 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www. juniper. net

Chapter Objectives § After successfully completing this chapter, you will be able to: • List some commonly used features found in the enterprise • Describe the purpose of VRRP and identify when it is used • Configure and monitor VRRP • Describe the DHCP services offered in JUNOS software • Configure and verify properation of DHCP services 8 -2 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -2

Agenda: Miscellaneous Features àIntroduction to VRRP § Configuring VRRP § Monitoring VRRP Operation § Introduction to DHCP Services § Configuring a DHCP Server § Monitoring DHCP Server Operation § Configuring a DHCP/BOOTP Relay Agent § Monitoring DHCP/BOOTP Relay Operation 8 -3 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -3

What Is VRRP? § An election protocol used to designate one of multiple VRRP routers as master, which assumes the forwarding responsibilities for a LAN • Means of incorporating redundancy in a LAN • Typically used in high-availability Ethernet networks • Defined in RFC 2338 8 -4 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -4

VRRP Terminology § Virtual router—Virtual entity that functions as default router on LAN; consists of VRID and IP address used as gateway address known as VIP address § VRRP router—Any router participating in VRRP including the master and all backup routers § Master router—VRRP router performing packet forwarding and responding to ARP requests § Backup router—VRRP router available to assume the role of the master router upon failure 8 -5 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -5

VRRP Mechanics § VRRP communications: • Communicates using multicast address (224. 0. 0. 18) • Communication interval (every second by default) • Communication confined to local network (TTL = 255) • Speakers must be configured with common settings (for example, VRID and authentication parameters) • Virtual router MAC address used for LAN communications § Determining master: • Priority (higher is preferred) • Router that owns virtual router’s IP address (always master) • Preemption behavior is optional (except when VIP address is owned) 8 -6 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -6

VRRP States § VRRP states include: • Initialize—Router negotiates VRRP roles through startup events, no forwarding can be performed while in this state • Master—Router assumes traffic forwarding responsibilities for the LAN and responds to ARP requests • Backup—Router monitors master VRRP router and is ready to assume forwarding responsibilities if failure occurs • Transition—Router switches between master and backup states, no forwarding can be performed while in this state 8 -8 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -8

VRRP Design Considerations (1 of 3) § What does your network topology consist of? • How many routers are participating in VRRP? • How many outbound WAN circuits exist, and is one circuit preferred over another? § Which router do you want as master? • Does one router have advantages over another router? • What address will be used for the VIP address? § Will load balancing be needed? • Is the load significant, and is there a benefit to balancing the traffic in your environment? 8 -9 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -9

VRRP Design Considerations (2 of 3) § Will preemption be enabled? • Is maintaining the same VRRP router as the master router more important than the possible disruption that comes with preemption? § Is security on the LAN a concern? • Do you need the VRRP exchanges secured to avoid any potential security risks? 8 -11 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -11

VRRP Design Considerations (3 of 3) § Design should account for WAN link failure scenarios • Add alternate paths • Track WAN interface state to force failover Add alternate path between R 1 and R 2 Force mastership changes from R 1 to R 2 if circuit goes down R 1 = Master 1 GW=. 1. 100/24 fe 0/ -2/. 2 /24 se-1 . 1/3 0 /0/0 X . 2/3 0 VIP =. 1/24 fe- . 3/ 2/ 24 0/ 1 30 . 1/ 30. 2/ /0/0 1 e s R 2 = Backup 8 -12 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -12

VRRP Case Study: Overview § Scenario: • Occasionally, all external communications for Zoo. Net Inc. cease because of disruptions, caused by various reasons, which affect the network’s only path out towards the Internet and remote locations • Mr. Billy “The Man” Bob, the CEO of Zoo. Net Inc. , has noticed a drop in productivity because of the disruptions and has authorized the purchase of new Juniper Networks equipment to incorporate redundancy into the network design, and as a result, reduce the number of network-related disruptions 8 -13 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -13

VRRP Case Study: Existing Topology § Zoo. Net Inc. ’s existing topology consists of end users connecting to a switch that has a single connection to a single router, with a single circuit to the Internet GW=. 1. 100/24 R 1 fe-2/0/1. 1/24 se-1/0/0. 1/30 . 2/30 Test your understanding: What events could disrupt connectivity towards the Internet with the current design? 8 -14 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -14

VRRP Case Study: Proposed Topology § Zoo. Net Inc. ’s proposed topology consists of adding an additional router, configuring VRRP on the LAN interfaces for both routers, and adding a second circuit for external communications R 1 = Master 1 GW=. 1. 100/24 fe 0/ -2/ 4 2. 2/ . 1/3 0 se-1 /0/0 . 2/3 0 VIP =. 1/24 fe- . 3/ 2/ 24 0/ 1 0/0 e-1/ s . 1/ 0 3. 2/ 30 R 2 = Backup 8 -15 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -15

VRRP Case Study: Results § The results of this design: • Traffic flows through R 1 under normal operation • If R 1 fails, R 2 assumes the master role and forwards traffic • Failover between R 1 and R 2 is transparent for end users R 1 = Master GW=. 1. 100/24 0/1 / 2 fe- /24. 2 se-1 . 1/3 0 /0/0. 2/3 0 VIP =. 1/24 fe- 0 . 3/ 2/ 24 0/ 1 30 . 1/ 3. 2/ /0/0 1 e s R 2 = Backup 8 -16 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -16

Agenda: Miscellaneous Features § Introduction to VRRP àConfiguring VRRP § Monitoring VRRP Operation § Introduction to DHCP Services § Configuring a DHCP Server § Monitoring DHCP Server Operation § Configuring a DHCP/BOOTP Relay Agent § Monitoring DHCP/BOOTP Relay Operation 8 -17 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -17

Sample VRRP Topology GW=. 1 User X (. 100/24) User Y (. 101/24) R 1. 1/3 1 fe 0/ -2/ fe- . 1 2/ /0/0 R 2 . 2/ 24 0/ 1 0 se-1 /24 /0/0 se-1 . 2/3 0 0 3. 2/ 30 . 1/ GW=. 2 § Goals: • Configure VRRP on R 1 and R 2 to allow for redundancy during failure scenarios • Continue load-balancing all outbound traffic to make use of resources involved in the forwarding path 8 -18 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -18

Sample VRRP Configuration § Configuration on R 1 and R 2 to accomplish objectives R 1 Configuration Priority value of 255 is required when VIP and interface IP addresses are the same fe-2/0/1 { vlan-tagging; unit 100 { vlan-id 100; family inet { address 10. 222. 1. 1/24 { vrrp-group 100 { virtual-address 10. 222. 1. 1; priority 255; } vrrp-group 101 { virtual-address 10. 222. 1. 2; priority 100; } } } Group 100 = Master Group 101 = Backup R 2 Configuration fe-2/0/1 { vlan-tagging; unit 100 { vlan-id 100; family inet { address 10. 222. 1. 2/24 { vrrp-group 100 { virtual-address 10. 222. 1. 1; priority 100; } vrrp-group 101 { virtual-address 10. 222. 1. 2; priority 255; } } } Priority determines master/backup state Group 100 = Backup Group 101 = Master 8 -19 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -19

VRRP Configuration Options (1 of 2) § track • Monitors or tracks interface state for interfaces forwarding traffic received through a VRRP interface • Reduces designated priority value for a given VRRP group if tracked interface goes down—ideal way to maintain external reachability during a WAN link failure § accept-data • Allows master router to respond to ICMP requests sent to VIP address—by default, master router does not respond • Violates RFC 2338 if enabled, but can help avoid unnecessary problem reports 8 -20 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -20

VRRP Configuration Options (2 of 2) § authentication-type • Authentication options include none, simple, and MD 5 • MD 5 authentication is suggested for LANs with security concerns § preempt • Router with higher priority will assume master role—default behavior • Can turn preemption off to avoid unwanted mastership changes 8 -21 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -21

Test Your Understanding of VRRP Options § What happens if se-1/0/0. 0 goes down? Assume that a second VRRP router is configured to use similar settings except with the default priority value of 100 fe-2/0/1 { vlan-tagging; unit 100 { vlan-id 100; family inet { address 10. 222. 1. 2/24 { vrrp-group 100 { virtual-address 10. 222. 1. 1; priority 110; no-preempt; accept-data; authentication-type md 5; authentication-key "$9$w 7 sa. Uq. 5 F 6 Af. T"; ## SECRET-DATA track { interface se-1/0/0. 0 { priority-cost 11; } } } } Copyright © 2007 Juniper Networks, Inc. Education Services 8 -22

Agenda: Miscellaneous Features § Introduction to VRRP § Configuring VRRP àMonitoring VRRP Operation § Introduction to DHCP Services § Configuring a DHCP Server § Monitoring DHCP Server Operation § Configuring a DHCP/BOOTP Relay Agent § Monitoring DHCP/BOOTP Relay Operation 8 -23 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -23

Monitoring VRRP Operation (1 of 2) § Use show vrrp to view VRRP state • Use the detail or extensive options to increase the amount of VRRP-related details displayed user@host> show vrrp ? Possible completions: <[Enter]> Execute this command … detail Display detailed output extensive Display extensive output … | Pipe through a command user@host> show vrrp Interface Unit Group Type Address Int state fe-2/0/1 100 lcl 10. 222. 1. 2 up vip 10. 222. 1. 1 VR state master Timer A 0. 839 8 -24 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -24

Monitoring VRRP Operation (2 of 2) § Use show vrrp interface to view VRRP details for a specific interface • To display an individual group’s details for a given interface, add the group option user@host> show vrrp interface ? Possible completions: <interface-name> Name of interface group Number of VRRP group (0. . 255) user@host> show vrrp interface fe-2/0/1 Interface: fe-2/0/1. 100, Interface index: 68, Groups: 1, Active : 1 Interface VRRP PDU statistics Advertisement sent : 48426 Advertisement received : 19 Packets received : 19 No group match received : 0 Interface VRRP PDU error statistics Invalid IPAH next type received : 0 Invalid VRRP TTL value received : 0 Invalid VRRP version received : 0 Invalid VRRP PDU type received : 0 Invalid VRRP authentication type received: 0 Invalid VRRP IP count received : 0 Invalid VRRP checksum received : 0 … Copyright © 2007 Juniper Networks, Inc. Education Services 8 -25

VRRP Tracing (1 of 2) § Set traceoptions under [edit protocols vrrp] • Flag options are specific to VRRP [edit protocols vrrp] user@host# set traceoptions ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups > file Trace file information > flag Tracing parameters [edit protocols vrrp] user@host# set traceoptions flag ? Possible completions: all Trace all events database Trace database general Trace general events interfaces Trace interface messages normal Trace normal events packets Trace packets state Trace state transitions timer Trace timer events 8 -26 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -26

VRRP Tracing (2 of 2) § View logged contents with show log filename • Logged contents are sent to /var/log/vrrpd by default user@host> show Jun 13 11: 19: 42 Jun 13 11: 19: 42 Jun 13 11: 19: 42 … log vrrpd Sending Source : 010. 222. 001. 002 Destin : 224. 000. 018 TTL : 255 Protocol: 51 45 c 00040 c 2560000 ff 330 c 820 ade 0102 e 0000012 70040000 abab 0000 c 255 c 94 c 67 e 5 a 7 dcb 2 d 9 dd 61 c 360210159010201781 d 0 ade 010100000000 8 -27 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -27

Agenda: Miscellaneous Features § Introduction to VRRP § Configuring VRRP § Monitoring VRRP Operation àIntroduction to DHCP Services § Configuring a DHCP Server § Monitoring DHCP Server Operation § Configuring a DHCP/BOOTP Relay Agent § Monitoring DHCP/BOOTP Relay Operation 8 -28 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -28

DHCP Introduced § DHCP transfers host-specific configuration details from a designated DHCP server to individual DHCP clients while managing the allocation of IP addresses on a LAN • Scalable method of managing LAN resources • Follows client/server model • Based on the BOOTP 8 -29 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -29

DHCP Terminology § DHCP server—Device that allocates IP addresses and delivers configuration settings to client hosts in a dynamic fashion § DHCP client—Device that requests network configuration details including an IP address assignment from a selected DHCP server § Relay agent—Device (generally a router) that relays DHCP requests from DHCP clients on one network to a DHCP server on a different network § Binding—Group of network configuration details linked or bound to a DHCP client; a binding includes at least an IP address and is managed by the DHCP server 8 -30 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -30

DHCP Mechanics § DHCP client: • Searches for DHCP server • Requests configuration details from a specific DHCP server • Verifies that assigned address is not in use • Applies configuration parameters assigned by DHCP server § DHCP server: • Stores configuration details defined by LAN administrator • Listens for DHCP requests from DHCP clients • Allocates configuration details to clients based on requests • Manages IP address assignment 8 -31 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -31

DHCP Services in the Enterprise § DHCP server mode (J-series routers only) • Use J-Web Quick Configuration DHCP wizard or configure through CLI at [system services dhcp] hierarchy • Compatible with DHCP server mode used within autoinstallation § DHCP/BOOTP relay agent (all JUNOS software routers) • Configured through CLI at [forwarding-options helpers bootp] hierarchy § Cannot use both options simultaneously 8 -33 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -33

DHCP Server Mode § DHCP server mode (J-series only): • Dynamically assigns addresses to end hosts from user-defined pool • Eliminates the need for a dedicated DHCP server on a LAN Configuration Details fe-2/0/1 PC configured as DHCP client DHCP Client Request . 1/24 J-series router configured for DHCP server mode X No dedicated DHCP server required 8 -35 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -35

DHCP/BOOTP Relay Agent § DHCP/BOOTP relay agent: • Router relays DHCP requests from end hosts on one network to a designated server on a different network • Eliminates the need for a DHCP server on every LAN DHCP client request DHCP client (LAN A) fe-2 Router /0/ Configuration details relayed from router to DHCP clients DHCP client (LAN B) 0 . 1/24 /0 e-2 f Configuration details are sent from server to router fe-1/0/0. 1/24 /1 . 100/24 DHCP server (LAN C) DHCP client requests relayed from router to server DHCP client request 8 -36 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -36

Agenda: Miscellaneous Features § Introduction to VRRP § Configuring VRRP § Monitoring VRRP Operation § Introduction to DHCP Services àConfiguring a DHCP Server § Monitoring DHCP Server Operation § Configuring a DHCP/BOOTP Relay Agent § Monitoring DHCP/BOOTP Relay Operation 8 -37 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -37

Configuring DHCP: Common Configuration Options (1 of 2) § Address pool—User-defined pool of IP addresses that are dynamically allocated to clients • Can specifically exclude addresses within pool range from being assigned § Static binding—Mapping between fixed IP address and a specific client’s MAC address or client identifier § Address lease—Length of time in seconds a client holds the lease for an IP address assigned by the DHCP server (default and maximum) 8 -38 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -38

Configuring DHCP: Common Configuration Options (2 of 2) § Router—IPv 4 addresses for one or more routers available to DHCP clients § Domain name server—DNS name servers available to DHCP clients § WINS server—IPv 4 addresses for one or more Net. BIOS name servers that manage the WINS database for the LAN 8 -39 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -39

Configuring DHCP: Example Interface receiving DHCP requests DHCP lease settings Router IPv 4 address sent to DHCP clients [edit interfaces] user@host# show … fe-2/0/0 { unit 0 { family inet { address 10. 3. 3. 1/24; } } } … [edit system services dhcp] user@host# show pool 10. 3. 3. 0/24 { address-range low 10. 3. 3. 2 high 10. 3. 3. 254; exclude-address { 10. 3. 3. 10; } maximum-lease-time 86400; default-lease-time 86400; name-server { 172. 18. 35. 100; } wins-server { 172. 18. 35. 105; } router { 10. 3. 3. 1; } } Address pool and exclusion settings DNS and WINS server settings 8 -40 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -40

Agenda: Miscellaneous Features § Introduction to VRRP § Configuring VRRP § Monitoring VRRP Operation § Introduction to DHCP Services § Configuring a DHCP Server àMonitoring DHCP Server Operation § Configuring a DHCP/BOOTP Relay Agent § Monitoring DHCP/BOOTP Relay Operation 8 -41 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -41

Monitoring DHCP Server Operation (1 of 3) § Use show system services dhcp pool to view DHCP address pool information user@host> show system services dhcp pool Pool name Low address High address 10. 3. 3. 0/24 10. 3. 3. 1 10. 3. 3. 254 Excluded addresses 10. 3. 3. 10 • Use show system services dhcp binding to view DHCP binding and lease details user@host> show system services dhcp binding IP Address Hardware Address Type 10. 3. 3. 2 00: a 0: 12: 00: 12: ab dynamic 10. 3. 3. 3 00: a 0: 12: 00: 13: 02 dynamic Lease expires at 2004 -05 -03 13: 01: 45 PDT 2004 -05 -03 13: 01: 52 PDT 8 -42 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -42

Monitoring DHCP Server Operation (2 of 3) § Use show system services dhcp statistics to view DHCP statistics user@host> show system services dhcp statistics Packets dropped: Total 0 Messages received: BOOTREQUEST DHCPDECLINE DHCPDISCOVER DHCPINFORM DHCPRELEASE DHCPREQUEST Messages sent: BOOTREPLY DHCPOFFER DHCPACK DHCPNAK 0 0 147 0 81 138 0 132 0 8 -43 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -43

Monitoring DHCP Server Operation (3 of 3) § Use show system services dhcp conflict to view address conflict details within the DHCP pool user@host> show system services dhcp conflict Detection time Detection method 2004 -08 -03 19: 04: 00 PDT client 2004 -08 -04 04: 23: 12 PDT ping Address 10. 3. 3. 4 10. 3. 3. 5 • Use clear system services dhcp conflict to clear address conflicts • Add the address switch to clear a specific conflict user@host> clear system services dhcp conflict ? Possible completions: <[Enter]> Execute this command <address> DHCP conflict address … 8 -44 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -44

DHCP Tracing § Set traceoptions under [edit system services dhcp] • Flag options are specific to DHCP § View logged contents with show log filename • Logged contents are sent to /var/log/dhcpd by default [edit system services dhcp] user@host# show traceoptions { file dhcpd; flag conflict; flag binding; flag event; level error; } … 8 -45 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -45

Agenda: Miscellaneous Features § Introduction to VRRP § Configuring VRRP § Monitoring VRRP Operation § Introduction to DHCP Services § Configuring a DHCP Server § Monitoring DHCP Server Operation àConfiguring a DHCP/BOOTP Relay Agent § Monitoring DHCP/BOOTP Relay Operation 8 -46 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -46

DHCP/BOOTP Relay Configuration § Sample DHCP/BOOTP relay configuration: Settings used for all interfaces not specifically referenced in configuration Interface will not listen or participate in relay services Interface will use unique settings for relay services [edit forwarding-options helpers bootp] user@host# show description "Global DHCP relay service"; server 172. 18. 24. 38; maximum-hop-count 4; minimum-wait-time 1; interface { fe-2/0/0 { no-listen; description "No DHCP relay service"; } fe-2/0/1 { description "Unique DHCP relay service"; server 172. 18. 36. 12; maximum-hop-count 4; minimum-wait-time 1; } } 8 -47 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -47

Agenda: Miscellaneous Features § Introduction to VRRP § Configuring VRRP § Monitoring VRRP Operation § Introduction to DHCP Services § Configuring a DHCP Server § Monitoring DHCP Server Operation § Configuring a DHCP/BOOTP Relay Agent àMonitoring DHCP/BOOTP Relay Operation 8 -48 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -48

Monitoring DHCP/BOOTP Relay Operation § Use traceoptions to monitor DHCP/BOOTP relay events [edit forwarding-options] user@host# show helpers { traceoptions { level all; flag bootp; } bootp { server 172. 19. 100; } } § Logged contents are sent to /var/log/fud by default • Use the show log fud command to view logged contents user@host> show Jun 25 17: 18: 52 Jun 25 17: 18: 55 log fud new server addr 172. 19. 100 port 67 routing instance default fud_config_bootp_get_defaults(): bootps defaults set requester 0. 0 if fe-2/0/0[l 2 if ] hw type 1 hw len 6 secs 0 … 8 -49 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -49

Review Questions 1. Describe a typical VRRP environment. How do VRRP routers communicate within this environment? 2. Name the VRRP states. What occurs during these VRRP states? 3. What is the purpose of a VRRP virtual router? 4. Describe the purpose of the VIP address and VRID. 5. Which platforms support DHCP server mode? 6. List some benefits of using a Juniper Networks router as a BOOTP/DHCP relay agent. 8 -50 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -50

Lab 6: Miscellaneous Features (VRRP and DHCP) § Configure and monitor VRRP. § Configure and monitor DHCP services. 8 -51 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -51

8 -52 Copyright © 2007 Juniper Networks, Inc. Education Services 8 -52