JUNOS High Availability. Best Practices for High Network Uptime (e-book)

JUNOS High Availability. Best Practices for High Network Uptime (e-book) - Opis

Whether your network is a complex carrier or just a few machines supporting a small enterprise, JUNOS High Availability will help you build reliable and resilient networks that include Juniper Networks devices. With this book's valuable advice on software upgrades, scalability, remote network monitoring and management, high-availability protocols such as VRRP, and more, you'll have your network uptime at the five, six, or even seven nines -- or 99.99999% of the time.Rather than focus on "greenfield" designs, the authors explain how to intelligently modify multi-vendor networks. You'll learn to adapt new devices to existing protocols and platforms, and deploy continuous systems even when reporting scheduled downtime. JUNOS High Availability will help you save time and money. Manage network equipment with Best Common PracticesEnhance scalability by adjusting network designs and protocolsCombine the IGP and BGP networks of two merging companiesPerform network auditsIdentify JUNOScripting techniques to maintain high availabilitySecure network equipment against breaches, and contain DoS attacksAutomate network configuration through specific strategies and toolsThis book is a core part of the Juniper Networks Technical Library™. Spis treści:
JUNOS High Availability
SPECIAL OFFER: Upgrade this ebook with OReilly
Preface
What Is High Availability?
How to Use This Book
Whats in This Book?
Part I
Part II
Part III
Part IV
Conventions Used in This Book
Using Code Examples
Safari Books Online
Comments and (...) więcej Questions
Acknowledgments
I. JUNOS HA Concepts
1. High Availability Network Design Considerations
Why Mention Cost in a Technical Book?
A Simple Enterprise Network
Redundancy and the Layered Model
Redundant Site Architectures
Redundant Component Architectures
Combined Component and Site-Redundant Architectures
Redundant System Architectures
Combined System- and Site-Redundant Architectures
Combined System- and Component-Redundant Architectures
Combined System-, Component-, and Site-Redundant Architectures
What Does It All Mean?
2. Hardware High Availability
Divide and Conquer
The Brains: The Routing Engine
RE comparison
M Series
MX Series
T Series
EX Series
SRX Series
J Series
The Brawn: The Packet Forwarding Engine
Hardware components
Model comparison
M Series
MX Series
T Series
EX Series
SRX Series
J Series
Packet Flows
M Series
MX Series
T Series
EX Series
SRX Series
J Series
Redundancy and Resiliency
M Series
MX Series
T Series
J Series
SRX Series
EX Series
3. Software High Availability
Software Architecture
Stable Foundations
Modular Design
Daemons
One OS to Rule Them
Single OS
Forks and trains
No reeducation through labor
One Release Architecture
Automation of Operations
Configuration Management
Application Programming Interfaces
Scripting
Commit scripts
Operation scripts
Event policy scripts
4. Control Plane High Availability
Under the Hood of the Routing Engine
Routing Update Process
Step 1: Verify that the RE and PFEs are up
Step 2: Verify that the socket is built
Step 3: Verify that there is a valid TNP communication
Step 4: Verify that BGP adjacencies are established
Step 5: Verify that BGP updates are being received
Step 6: Verify that route updates are processed correctly
Step 7: Verify that the correct next hop is being selected
Step 8: Verify that the correct copy of the route is being selected for kernel update
Step 9: Verify that the correct copy of the route is being sent to the forwarding plane
Step 10: Verify that the correct copy of the route is being installed into the forwarding plane on the PFE complex
Graceful Routing Engine Switchover
Implementation and Configuration
Configuration examples
Troubleshooting GRES
Graceful Restart
Graceful Restart in OSPF
Configuration
Immunizing against topology change
Graceful Restart in IS-IS
Configuration
Graceful Restart in BGP
Restarting the node
Peers
Configuration
MPLS Support for Graceful Restart
Graceful Restart in RSVP
Configuration
Graceful Restart in LDP
Configuration
Graceful Restart in MPLS-Based VPNs
Configuration
Graceful Restart in Multicast Protocols, PIM, and MSDP
Non-Stop Active Routing
Implementation Details and Configs
Non-Stop Bridging
Implementation Details and Configurations
Choosing Your High Availability Control Plane Solution
5. Virtualization for High Availability
Virtual Chassis in the Switching Control Plane
VC Roles
IDs for VCs
Priorities and the Election Process
How to rig an election
Basic VC Setup and Configuration
Eliminating Loops Within the VC
Highly Available Designs for VCs
Manipulating a split VC
Server resilience with VCs
Control System Chassis
Requirements and Implementation
Consolidation Example and Configuration
Taking Consolidation to the Next Level: Scalable Route Reflection
II. JUNOS HA Techniques
6. JUNOS Pre-Upgrade Procedures
JUNOS Package Overview
Software Package Naming Conventions
When to Upgrade JUNOS in a High Availability Environment
The Right Target Release for a High Availability Environment
High Availability Upgrade Strategy
Conduct a lab trial
Choose the device to upgrade
Ensure router steady state
Save the working configuration
System-archive a copy of the working configuration
Establish a quarantine period
Pre-Upgrade Verifications
Filesystems and Logs
Checklist
Moving Services Away from a Router
Interface Configuration
Switching Ownership of a VRRP Virtual IP
IGP Traffic Control Tweaks
OSPF and the overload bit
Moving the designated router
The overload bit and IS-IS
Moving the DIS
Label-Switched Paths
RSVP-signaled LSPs
7. Painless Software Upgrades
Snapshots
Software Upgrades with Unified ISSU
How It Works
Implementation Details
Configuration dependencies
GRES configuration
NSR configuration
Software Upgrades Without Unified ISSU
Loading a JUNOS Image
Snapshots Redux
Image Upgrade Tweaks and Options
J Series Considerations
Cleanup
Backup Images
Rescue Configuration
8. JUNOS Post-Upgrade Verifications
Post-Upgrade Verification
Device State
Verify chassis hardware
Check for alarms
Verify interfaces
Verify memory
Network State (Routes, Peering Relationships, and Databases)
Verify routing
Routing table consistency
State of Existing Services
Filesystems and Logs
Install logfiles
Messages file
Syslog settings
Removal of Configuration Workarounds
Fallback Procedures
Applicability
9. Monitoring for High Availability
I Love Logs
Syslog Overview
Facilities
Severity
Header and MSG parts
Syslog Planning
Pitfalls
Implementing Syslog
Sample configuration
Monitoring syslog
Simple Network Management Protocol
SNMP Overview
Notification categories
RMON alarms
Health monitoring
SNMP Planning
Implementing SNMP
SNMPv3
RMON
Health monitoring
Pitfalls
Traffic Monitoring
Traffic Monitoring Overview
Traffic Monitoring Planning
Implementing Traffic Monitoring
Packet sampling
Port mirroring
Counters
Route Monitoring
Route Views
Cyclops
BGPlayer
Pitfalls
10. Management Interfaces
A GUI for Junior Techs
Using J-Web
J-Web for High Availability
Mid-Level Techs and the CLI
Event Policy Planning
Sample event policy configuration
Event Policies for High Availability
Deep Magic for Advanced Techs
JUNOS APIs
XSLT
SLAX
Automation Scripts
Operation scripts
Event scripts
Working with Scripts
Planning scripts
Loading and calling scripts
Refreshing scripts
11. Management Tools
JUNOScope
Overview
JUNOScope and High Availability
Looking Glass
Configuration Manager
Inventory Management System
Software Manager
Using JUNOScope
JUNOScope installation
Juniper AIS
Overview
AIS for High Availability
Installation
AIS planning
Partner Tools
Open IP Service Development Platform (OSDP)
Partner Solution Development Platform (PSDP)
12. Managing Intradomain Routing Table Growth
Address Allocation
Interface Addressing
JUNOS interface addressing syntax
Infrastructure Routes
Customer Routes
Virtual Router Redundancy Protocol
Network Virtualization and Service Overlays
Routing instances
Logical routers
Enable VLAN tagging in the primary logical router
Configuring the service overlay
Address Aggregation
What Is Aggregation?
Practical aggregation for a large domain
Is there a risk?
Use of the Private Address Space
Private addressing and internal services
Private addressing and customer services
Private addressing, NAT, and MIP
Use of Public Address Space
Static Routes
When to configure static routes
Using Protocol Tweaks to Control Routing Table Size
IS-IS areas and levels
OSPF areas
13. Managing an Interdomain Routing Table
Enterprise Size and Effective Management
Small to Medium-Size Enterprise Perspective
Large Enterprises and Service Providers
AS Number
Border Gateway Protocol (BGP)
EBGP Loop Prevention
IBGP Loop Prevention
IBGP full-mesh requirements
Implications of full mesh for high availability
Alternatives to full mesh
Route Reflection
Route reflection basics
High availability design considerations for route reflection
Turning it on
Route reflectors and policy configuration
Route reflection and next-hop self: What not to do
What is wrong with this picture?
Be terrific; be specific
Confederation
Confederation syntax
Implications of confederation for high availability
Configuration for redundancy
How does multihop affect my routing table?
Common High Availability Routing Policies
Local address filters
Prefix-length enforcement
Default routes: To block or not to block?
Route damping
A damp policy
Implications of damping
BGP Tweak: Prefix Limit
Implications of route and prefix limits
III. Network Availability
14. Fast High Availability Protocols
Protocols for Optical Networks
Ethernet Operations, Administration, and Maintenance (OAM)
IEEE 802.1ah and 802.1ag
SONET/SDH Automatic Protection Switching
Rapid Spanning Tree Protocol
Interior Gateway Protocols
Bidirectional Forwarding Detection
Setting the Interval for BFD Control Packets
Virtual Router Redundancy Protocol
MPLS Path Protection
Fast Reroute
Node and Link Protection
15. Transitioning Routing and Switching to a Multivendor Environment
Industry Standards
Multivendor Architecture for High Availability
Two Sensible Approaches
Layered approach to multivendor networks
CDA model
PE-CE model
Site-based approach to multivendor networks
Multivendor As a Transition State
Layered transitions
Site-based transitions
Routing Protocol Interoperability
Interface Connectivity
OSPF Adjacencies Between Cisco and Juniper Equipment
OSPF authentication keys
IBGP Peering
EBGP Peering
The BGP next hop issue
The other issue
Success
16. Transitioning MPLS to a Multivendor Environment
Multivendor Reality Check
Cost Concerns
MPLS Signaling for High Availability
A Simple Multivendor Topology
RSVP Signaling
Traffic engineering
JuniperCisco RSVP
Router r5 configuration
LDP Signaling
A few LDP implementation differences
MPLS Transition Case Studies
Case Study 1: Transitioning Provider Devices
Phase 1: P router transition
Phase 2: P router transition
Phase 3: P router transition
Final state: P router transition
Case Study 2: Transitioning Provider Edge Devices
Phase 1: PE router transition
Phase 2: PE router transition
Phase 3: PE router transition
Phase 4: PE router transition
Final state: PE router transition
17. Monitoring Multivendor Networks
Are You In or Out?
In-Band Management
Out-of-Band Management
OoB and fxp0
Configuration groups for high availability
SNMP Configuration
JUNOS SNMP Configuration
IOS SNMP Configuration
SNMP and MRTG
Syslog Configuration
Syslog in JUNOS
Syslog in IOS
Syslog and Kiwi
Configuration Management
Configuration for AAA
TACACS+
JUNOS authentication
IOS authentication
JUNOS locally defined accounts and authorization
IOS authorization
JUNOS accounting (activity tracking)
IOS accounting (activity tracking)
JUNOS GUI Support
What IS Normal?
18. Network Scalability
Hardware Capacity
Device Resources to Monitor
Control plane capacity best practices
Data plane specifications
Network Scalability by Design
Scaling BGP for High Availability
Route reflectors and clusters
Whats the point?
MPLS for Network Scalability and High Availability
Basic LSP configuration syntax
Secondary LSPs
Hot standby
Fast reroute
Link and node-link protection
Traffic Engineering Case Study
19. Choosing, Migrating, and Merging Interior Gateway Protocols
Choosing Between IS-IS and OSPF
OSPF
Advantages
Disadvantages
High availability features for OSPF in JUNOS Software
Link and node failure detection
Authenticating packets
Designated routers
Graceful Restart
Non-Stop Active Routing
Overload
Prefix limits
Bidirectional Forwarding Detection
IS-IS
Advantages
Disadvantages
High availability features for IS-IS in JUNOS Software
Link and node failure detection
Authenticating packets
Graceful Restart
Non-Stop Active Routing
Overload
Prefix limits
Bidirectional Forwarding Detection
Which Protocol Is Better?
A final thought
Migrating from One IGP to Another
Migrating from OSPF to IS-IS
Step 1: Plan for the migration
Step 2: Add IS-IS to the network
Step 3: Make IS-IS the preferred IGP
Step 4: Verify the success of the migration
Step 5: Remove OSPF from the network
Migrating from IS-IS to OSPF
Step 1: Plan for the migration
Step 2: Add OSPF to the network
Step 3: Make OSPF the preferred IGP
Step 4: Verify the success of the migration
Step 5: Remove IS-IS from the network
Merging Networks Using a Common IGP
Considerations
Area design
Matching configuration parameters
Tunneling
Other Options for Merging IGPs
BGP
Routing instances
20. Merging BGP Autonomous Systems
Planning the Merge
Architecture
Making the choice
Pitfalls
External peering
Route reflector 1
Route reflector 2
Oscillation commences
Outcomes
BGP Migration Features in JUNOS
Graceful Restart
Non-Stop Active Routing
Full mesh made easy (well, easier)
Zen and the art of AS numbers
Sometimes loopy is OK
Merging Our ASs Off
Merge with Full Mesh
IBGP
Bring in the EBGP peer
Merge with Route Reflectors
Cluster 1
Cluster 2
Merge with Confederations
Monitoring the Merge
Neighbor Peering
Persistent route oscillation
21. Making Configuration Audits Painless
Why Audit Configurations?
Knowledge Is Power
JUNOS: Configuration Auditing Made Easy
Configuration Auditing 101
Organizing the Audit
Configuration modules
Functional network areas
Organization involvement
Auditing Configurations
Baseline Configurations
Saving a baseline
Baseline configuration with JUNOS groups
Baseline configuration with commit scripts
Manually Auditing Configurations
Manual auditing through the GUI
Manual auditing through the CLI
Automating Configuration Audits
Event policies
JUNOScope
Advanced Insight Solution
Performing and Updating Audits
Auditing Intervals
Analyzing Updates
Auditing Changes
22. Securing Your Network Equipment Against Security Breaches
Authentication Methods
Local Password Authentication
RADIUS and TACACS+ Authentication
Authentication Order
Hardening the Device
Use a Strong Password, and Encrypt It
Disable Unused Access Methods
Control Physical Access to the Device
Control Network Access to the Device
Control and Authenticate Protocol Traffic
Define Access Policies
Firewall Filters
Firewall Filter Syntax
Match conditions
Actions
Evaluating filters
Implicit discard
Applying Firewall Filters
Using Firewall Filters to Protect the Network
Spoof prevention
Securing a web/FTP server
The options are endless
Using Firewall Filters to Protect the Routing Engine
Stateful Firewalls
23. Monitoring and Containing DoS Attacks in Your Network
Attack Detection
Using Filtering to Detect Ping Attacks
Using Filtering to Detect TCP SYN Attacks
Taking Action When a DoS Attack Occurs
Using Filtering to Block DoS Attacks
Filter some, filter all
Request Help from Your Upstream Provider
Attack Prevention
Eliminate Unused Services
Enable Reverse Path Forwarding
Use Firewall Filters
Use Rate Limiting
Deploy Products Specifically to Address DoS Attacks
Gathering Evidence
Firewall Logs and Counters
Port Mirroring
Sampling
cflowd
24. Goals of Configuration Automation
CLI Configuration Automation
Hierarchical Configuration
Protections for Manual Configuration
User access
Exclusive configuration
Private configuration
Transaction-Based Provisioning
Standard commits
Commit with scripts
Persistent changes
Transient changes
Script processing
Archives and Rollback
Configuration stores
Automating Remote Configuration
25. Automated Configuration Strategies
Configuration Change Types
Deployment
Network equipment
Services
Infrastructure
Ad Hoc Changes
Workarounds
One-off configurations
Automation Strategies
Global Strategies
Deployment
Hardware deployment
Interfaces
Routing engines
Service deployment
Infrastructure
Interfaces
Routing
Ad Hoc Changes
Workarounds
JUNOS issues
External device issues
One-off workarounds
IV. Appendixes
A. System Test Plan
Physical Inspection and Power On
Check General System Status
Check for Any Active Alarms
Save the System Hardware Configuration for Future Reference
Check Voltages and Temperatures
Check the Status of the Individual Components
Check Routing Engine and Storage Media
Check Routing Engine Status
Check Storage Media on Each Routing Engine
Test Optical Interfaces
Configure a Private IP Address and Run Ping Tests
Run a loopback test on SONET/SDH interfaces
Run a loopback test on Fast Ethernet and Gigabit Ethernet interfaces
Failover and Redundancy Tests
Routing Engine Redundancy
SFM Redundancy (M40e Platform Only)
Final Burn-In Check
Power Down the Router
Power On the Router/Burn-In Test
Final Checks and Power Down
B. Configuration Audit
Audit Responsibilities
Audit Response Key
Audit Checklist
Audit Interval
C. High Availability Configuration Statements
Routing Engine and Switching Control Board
cfeb
description
failover on-disk-failure
failover on-loss-of-keepalives
failover other-routing-engine
feb (Creating a Redundancy Group)
feb (Assigning a FEB to a Redundancy Group)
keepalive-time
no-auto-failover
redundancy
redundancy-group
routing-engine
sfm
ssb
Graceful Routing Engine Switchover
graceful-switchover
Nonstop Bridging Statements
nonstop-bridging
Nonstop Active Routing
commit synchronize
nonstop-routing
traceoptions
Graceful Restart
disable
graceful-restart
helper-disable
maximum-helper-recovery-time
maximum-helper-restart-time
maximum-neighbor-reconnect-time
maximum-neighbor-recovery-time
no-strict-lsa-checking
notify-duration
reconnect-time
recovery-time
restart-duration
restart-time
stale-routes-time
traceoptions
VRRP
accept-data
advertise-interval
authentication-key
authentication-type
bandwidth-threshold
fast-interval
hold-time
inet6-advertise-interval
interface
preempt
priority
priority-cost
priority-hold-time
route
startup-silent-period
traceoptions
track
virtual-address
virtual-inet6-address
virtual-link-local-address
vrrp-group
vrrp-inet6-group
Unified In-Service Software Upgrade (ISSU)
no-issu-timer-negotiation
traceoptions
Index
About the Authors
Colophon
SPECIAL OFFER: Upgrade this ebook with OReilly mniej