juniper技术培训

Juniper防火墙培训黄卓超Boscohuang@培训日程▪Juniper防火墙产品型号介绍▪Juniper防火墙优势与卖点▪产品更新情况▪防火墙概念▪Troubleshooting▪日常维护企业核心网/运营商/数据中心性能Juniper防火墙产品线一览中小企业/远程办公室大中型企业/分支机构价格Juniper防火墙产品市场定位▪中低端防火墙针对中小型企业•购买成本及维护成本是首要的需求•安全功能All in one•统一的配置界面•Juniper SSG产品具备无可比拟的优势•购买成本较低•无需管理多台设备•性能可接受(出口带宽<100M)▪高端防火墙针对运营商及大型企业•性能与稳定性是用户首要的需求•防火墙不能因为开启新业务成为网络处理能力的瓶颈•防火墙需具备高稳定性，不能影响业务的正常开展•往往使用独立硬件完成病毒防护,入侵检测防御,垃圾邮件过滤等功能,专物专用•Juniper ISG/NS5000的目标客户Secure Services Gateway 5▪160Mbps防火墙处理能力▪40Mbps VPN处理能力▪16K并发会话，5.5K新建会话▪深度检测能力▪病毒扫描能力▪反垃圾邮件, Web 过滤▪支持Security zones, VLANs, Virtual Routers 以灵活地把网络分段灵活的接口选项▪固化7个10M/100MEtherne以太网接口+ 1低速广域网接口interface•ISDN BRI S/T•V.92•RS-232 Serial/Aux▪可选配无线接入802.11a/b/g▪共6个具体型号Secure Services Gateway 20灵活的接口选项▪固化5个10M/100MEtherne 以太网接口+ 2个Mini-PIM 扩展槽•ISDN BRI S/T •V.92•ADSL2+•E1/T1•千兆以太网•同步串口▪可选配无线接入802.11a/b/g ▪共6个具体型号▪160Mbps 防火墙处理能力▪40Mbps VPN 处理能力▪16K 并发会话，5.5K 新建会话▪深度检测能力▪病毒扫描能力▪反垃圾邮件, Web 过滤▪支持Security zones, VLANs, Virtual Routers 以灵活地把网络分段Secure Services Gateway 140前面板▪前面板8个10/100M 以太网接口+ 2 个10/100/1000M 接口扩展槽▪后面板4个PIM 扩展槽•2* T1/E1•2*Serial •2*SHDSL •1*E3/T3•1*ADSL•1*ISDN BRI S/T •16口GE •8口GE •6口GE •1口GE▪350 Mbps 防火墙处理能力▪100 Mbps VPN 处理能力▪48K 并发会话数，8K 新建会话数▪深度检测能力▪病毒扫描能力▪反垃圾邮件, Web 过滤▪支持Security zones, VLANs, Virtual Routers 以灵活地把网络分段后面板Secure Services Gateway 300M Series▪Juniper Networks SSG 350M•550Mbps FW •225 Mbps VPN •深度检测能力•病毒扫描能力• 5 I/O Slots•单电源, AC or DC•128K 并发会话, 12.5K 新建会话数•350 VPN tunnels •1.5U▪Juniper Networks SSG 320M •450Mbps FW •175Mbps VPN •深度检测能力•病毒扫描能力)• 3 I/O slots •单电源, AC or DC•64K 并发会话,10K 新建会话数•250 VPN tunnels •1U▪共同特点•固化4个10M/100M/1000M 以太网接口•2个RJ45 Console/AUX 接口•2 个USB可外接存储设备以导出日志或其他系统信息Secure Services Gateway 500 Series▪Juniper Networks SSG 550•4Gbps FW •500 Mbps VPN •深度检测能力•病毒扫描能力• 6 I/O Slots•冗余电源, AC or DC•256K 并发会话, 32K 新建会话数•1,000 VPN tunnels▪Juniper Networks SSG 520•2Gbps FW•300 Mbps VPN •深度检测能力•病毒扫描能力• 6 I/O slots •单电源, AC or DC•128K 并发回话, 23k 新建会话数•500 VPN tunnels▪共同特点•2U 高，固化4个10M/100M/1000M 以太网接口•2个RJ45 Console/AUX 接口•2 个USB可外接存储设备以导出日志或其他系统信息丰富的SSG接口模块：PIMs8口10M/100M/1000M电口16口10M/100M/1000M电口6口1000M光口2口E1/T12口同步串口1口ISDN BRI S/TJuniper ISG防火墙概览•ISG2000•集中转发架构,系统性能为设计值•整机4Gbps防火墙处理能力(大包)•2Gbps防火墙处理能力(64bytes小包)•整机2Gbps 3DES或AES VPN能力•整机1百万并发连接•最多支持10000 IPSec VPN tunnels •最多支持16个千兆接口或28个百兆接口•最多支持250个虚拟防火墙系统•最多支持4094个VLANs •ISG1000•集中转发架构,系统性能为设计值•最大2Gbps防火墙处理能力(大包)整机1Gbps防火墙处理能力(64bytes小包)•最大1Gbps 3DES或AES VPN能力•整机50万并发连接•最多支持2000 IPSec VPN tunnels•最多支持12个千兆接口或20个百兆接口•最多支持50个虚拟防火墙系统•最多支持4094个VLANsISG 2000 升级为带硬件IDP 的防火墙IDP LicenseKey1－3 块安全模块++=ISG System+ISG System w/ IDPJuniper NS5000防火墙概览•NS5400•分布式处理，随着板卡数量增加性能线性递增•最大30Gbps 防火墙处理能力(256bytes)•12Gbps 防火墙处理能力(64bytes 小包)•最大15 Gbps 3DES 或AES VPN 能力•整机2 百万并发连接•支持25,000 IPSec VPN tunnels •支持24个千兆接口或6个万兆接口•支持500个虚拟防火墙系统•支持4094个VLANs •NS52000•分布式处理，随着板卡数量增加性能线性递增•最大10Gbps 防火墙处理能力(256bytes)整机4Gbps 防火墙处理能力(64bytes 小包)•最大5Gbps 3DES 或AES VPN 能力•整机1百万并发连接•支持25,000 IPSec VPN tunnels •支持8个千兆接口或2个万兆接口•支持500个虚拟防火墙系统•支持4094个VLANsJuniper NS5000接口板卡系列▪NetScreen-5000 8G2接口模块•8口千兆mini-GBIC 接口•8Gbps 防火墙/4Gbps 3DES/AES VPN性能•支持最多4口聚合▪NetScreen-5000 2XGE接口模块•2口万兆XFP接口•10Gbps防火墙/4Gbps 3DES/AES VPN性能•支持短距或长距Transceivers▪共同点•每块接口卡内置2块GigaScreen3ASIC•支持9.6K帧长的Jumbo Frames•跟5000-MGT2管理模块兼容培训日程▪Juniper防火墙产品型号介绍▪Juniper防火墙优势与卖点▪产品更新情况▪防火墙概念▪Troubleshooting▪日常维护防火墙操作系统SreenOSRISC CPUSecurity -Specific, Real -Time OS •Dynamic Routing •Virtualization •High Availability•Centralized Management•VPN•Denial of Service •Firewall•Traffic management Purpose Built Hardware Platform CPU MemoryASICInterfacesSecurity –Specific, Real-Time OS▪Dynamic Routing ▪Virtualization▪High Availability ▪Centralized Management Integrated Security Applications ▪Denial of Service ▪VPN ▪Firewall ▪Traffic management 转为安全业务而设计的软件系统-▪电信级路由能力:RIP/OSPF/BGP4/PBR ▪高可用性:Redundant Interface/Track IP/NSRP ▪虚拟化能力:虚拟防火墙▪UTM 功能:AV/IPS/Anti-SPAM/URL Filtering…▪支持:RADIUS, LDAP , PKI, internal DB,SecurID,MS AD 等认证手段▪超过10年行业经验累积▪支持大量的企业应用如H323/SIP/MGCP/Skinny 等▪安全域／全状态检测／深度检测▪VPN 特性:IPsec/XAuth/L2TP/GRE防火墙安全业务引擎GigaScreen3ASIC•Juniper/Netscreen第4代安全业务处理芯片(2003 年发布)•3Mpps状态检测/NAT性能• 1.5Mpps 加解密性能( IPsec VPN)•集成16种常见攻击的防护能力(Syn-flood/ICMP flood//UDP Flood等)•集成6*Packet Processing Units (PPU)加速单元:•VPN 加/解密(AES, 3DES, DES,SHA-1, MD5)•TCP 4 Way close•IP 分段重组•IKE协商加速•流量计数•支持微代码编程，可通过软件版本升级更新ASIC芯片的功能•用于ISG/NS5000产品系列全状态防火墙检测机制▪支持对TCP协议进行状态检测▪支持IP/ICMP/UDP等无状态协议进行状态检测▪支持对复杂协议进行状态检测•H.323(Cisco/Avaya/Polycom/NEC…)•SIP•MGCP•Skinny•FTP/TFTP•RTSP/Real•Microsoft RPC/Sun RPC•SQL•PPTP•SCTP•GTP/GPRS完善的VPN特性支持▪支持IETF IPsec VPN标准•可与所有兼容RFC标准的IPsec网关互联互通•支持IPsec VPN NAT Traversal•支持Remote-Access w/ Xauth•支持透明模式下的IPsec VPN•独特的ACVPN特性，可简化大规模full-mesh VPN部署▪支持L2TP VPN，支持L2TP over IPsec，方便Windows用户VPN远程接入▪支持GRE Tunnel,支持GRE over IPsec；方便通过VPN隧道透传组播应用统一威胁管理(UTM)来自入方向的威胁来自出方向的威胁SurfControl to block to Spyware /Phishing / Unapproved Site Access Web过滤Kaspersky Lab AV stops Viruses, file-based Trojans, Spyware, Adware,KeyloggersKaspersky Lab AV stops Viruses, file-based Trojans or spread of Spyware,Adware, Keyloggers防病毒Symantec stops Spam / Phishing防垃圾邮件Juniper IPS detects/stopsWorms, TrojansJuniper IPS detects/stops Worms,Trojans, DoS, Recon, Scans入侵检测防护Juniper Stateful Firewall, VPN, AccessControl核心安全Juniper Stateful Firewall, VPN,Access Control经济灵活的虚拟系统(Virtual Systems)IEEE 802.1Q VLAN Trunk业务流量按照VLANs 映射至虚拟防火墙客户区域物理分割到客户A 的VLAN虚拟防火墙逻辑分割每个客户独立管理自己的设备: 分离的路由表/安全策略/地址本/管理员账号到客户C 的VLAN到客户B 的VLAN灵活的部署方式▪路由模式:电信级路由能力•RIP•OSPF•BGP•策略路由•ECMP▪透明模式(桥模式)•无需更改现有网络拓扑，即插即用•支持透明模式下的NAT(ScreenOS 6.2)/IPsec VPN ▪支持丰富的广域网接口卡类型，适应各种网络连接▪虚拟路由器/虚拟防火墙提高业务灵活性▪IPv6 Ready•支持IPv4/IPv6双栈•支持NAT-PT•支持6to4 Tunnel•支持6in4,4in6 Tunnel•支持RIPng，即将支持OSPFv3高可用性▪主要特性•支持A/P、A/A、A/A fullmesh的高可用部署•同步FW/VPN的所有信息，切换时包括•Active sessions•NAT•VPN tunnels•Security Associations▪优点•业务无中断，切换对用户透明•改进了业务的弹性▪Juniper HA防火墙结构解决的问题•防多点故障•链路故障或周边设备故障，用接口切换屏蔽，设备不用切换，无丢包•双HA心跳线冗余•Track IP机制检测全路径健康状况•配置自动同步，维护简单友好的人机管理界面集成管理平台Telnet SSHHTTP HTTPSDMISNMPSyslogJuniper 防火墙开放,基于标准的管理框架ScreenOS CLI▪Telnet ▪SSHWeb▪Quick Setup with Templates ▪Dashboard View▪Performance MonitoringJuniper NSM▪Discovery & Configuration ▪Policy Management ▪Inventory Management ▪Log ManagementDevice ManagementNetwork & Security ManagementThird party NMSJuniper STRM▪Threat Detection▪Event Log Management ▪Compliance & IT Efficiency培训日程▪Juniper防火墙产品型号介绍▪Juniper防火墙优势与卖点▪产品更新情况▪防火墙概念▪Troubleshooting▪日常维护新一代安全操作系统JUNOS-ES JUUNOS Enhanced Service▪电信级路由操作系统JUNOS和安全操作系统ScreenOS的完美融合•来自JUNOS的MPLS/NSF/NSR等高级功能•来自JUNOS的层次化CLI配置风格•来自ScreenOS的安全特性: 安全域/NAT/IPsec VPN/Screen/深度检测/UTM •Commit/JUNOS Scripts等高级管理特性▪集成的统一安全平台•状态检测•IPsec VPN•入侵检测与防御•病毒防御/垃圾邮件过滤(Roadmap)•DDoS攻击防护▪分布式体系架构•控制/转发平面清晰分离•全冗余分布式系统架构，性能随着安全业务板数量增加而线性递增•满足性能按需增长的要求▪Only for SRX and J系列路由器▪SRX5600▪管理引擎/安全服务引擎/交换矩阵/电源/风扇组全冗余▪8U/8槽位▪防火墙性能–60 Gbps ▪VPN –18 Gbps ▪IDP –18 Gbps▪Concurrent sessions –4M▪New and sustained cps –300k ▪Concurrent VPN tunnels –100kJuniper 新一代防火墙产品SRX5000系列▪SRX5800▪管理引擎/安全服务引擎/交换矩阵/电源/风扇组全冗余▪16U/14槽位▪防火墙性能–120 Gbps ▪VPN –36Gbps ▪IDP –36Gbps▪Concurrent sessions –8M ▪New and sustained cps –300k ▪Concurrent VPN tunnels –100k▪SRX3400▪关键部件冗余▪3U/7扩展槽位▪防火墙性能–10 Gbps ▪VPN –8 Gbps▪IDP –6Gbps▪Concurrent sessions –1M ▪New and sustained cps –120k ▪Concurrent VPN tunnels –10kJuniper 新一代防火墙产品SRX3000系列▪SRX3600▪关键部件冗余▪5U/12扩展槽位▪防火墙性能–30 Gbps ▪VPN –14Gbps ▪IDP –10Gbps▪Concurrent sessions –2M ▪New and sustained cps –120k ▪Concurrent VPN tunnels –30kSRX竞争优势▪支持关键部件全冗余，相比传统防火墙的双机部署成本更低且冗余设计更简单▪突破传统防火墙没有真正的交换矩阵的设计缺陷，采用Juniper骨干网路由器的Switch Farbric(960Gbps),易于容量扩展▪融合来自Juniper骨干网路由器的路由特性，更好的支持ISIS, BGP，NSF/NSR等高级路由特性▪完全集成来自ScreenOS的安全特性，是可以信赖的安全解决方案培训日程▪Juniper防火墙产品型号介绍▪Juniper防火墙优势与卖点▪产品更新情况▪防火墙概念▪Troubleshooting▪日常维护安全区（Security Zone）：Juniper 防火墙增加了全新的安全区域（Security Zone）的概念，安全区域是一个逻辑的结构，是多个处于相同属性区域的物理接口的集合。

V1.0, 02/15/08 -----------------------------------------------------------Lab 7-1 TroubleshootingObjectivesThe objective of this lab it to provide you with a series of outputs you can use to troubleshoot and diagnose issues that may arise from the configuration of policies, protocols, firewalls, and enhanced services. This module is not intended to be an all inclusive document but rather a reference to help you ensure that your configurations meet the assignments in the previous labs. It is understood that time may not permit you to use all of these commands. As mentioned in module one, however, it is imperative that you verify correct operation of your configuration therefore we are including some of the more common outputs used. Assignment:Use the command line interface to issue commands that verify the correct operation of your configurations from all labs done in this course. Specifically, verify correct operation of the following:-Interfaces-Protocols-OSPF-RIP-Policy-Firewall-Stateful firewall-Screen OptionsV1.0, 02/15/08 -----------------------------------------------------------Lab 7-2 InterfacesUse the show interfaces terse command to display a terse listing of all interfaces installed in the router along with their administrative and link-layer status.Above we can see the status of all the interfaces on our router. It helps to have an understanding of what the different Admin and Link status may indicate.When an interface is administratively disabled, the physical interface has an Admin status of down and a Link status of up, and the logical interface has an admin status of up and a link status of down. The physical interface has a link status of up because the physical link is healthy (no alarms). The logical interface has a link status of down because the data link layer cannot be established end to end.V1.0, 02/15/08 -----------------------------------------------------------When an interface is not administratively disabled and the data-link layer between the local router and the remote router is not functioning, the physical interface has an Admin status of up and a Link status of up while the logical interface has an admin status of up and a link status of down. The physical interface has a link status of up because the physical link is healthy (no alarms). The logical interface has a link status of down because the data-link layer cannot be established end to end.If we see that our interface is not listed as UP/UP, but rather Admin Up but Link down, we can troubleshoot inconsistencies in the configuration or settings on both sides of the link. The show interfaces (interface name) <extensive, brief, detail, statistics> output will show us specific information about settings on the interface as well as drops, errors, alarms, flags, and hardware specific media alarms. The following are some examples of these outputs.V1.0, 02/15/08 -----------------------------------------------------------The output of a show interfaces command displays the device-level configuration and provides additional information about the device’s operation through various flags. These flags include the following:-Down: Device was administratively disabled.-Hear-Own-Xmit: Device will hear its own transmissions.-Link-Layer-Down: The link-layer protocol failed to successfully connect with the remote endpoint.-Loopback: Device is in physical loopback.-Loop-Detected: The link layer received frames that it sent and suspects a physical loopback.-No-Carrier: Where the media supports carrier recognition, this indicates that no carrier is currently seen.-No-Multicast: Device does not support multicast traffic.-Present: Device is physically present and recognized.-Promiscuous: Device is in promiscuous mode and sees frames addressed to all physical addresses on the medium.V1.0, 02/15/08 ------------------------------------------------------------Quench: Device is quenched because it overran its output buffer.-Recv-All-Multicasts: No multicast filtering (multicast promiscuous).-Running: Device is active and enabled.The status of the interface is communicated with one or more flags. These flags include the following:-Admin-Test: Interface is in test mode, which means that some sanity checking, such as loop detection, is disabled.-Disabled: Interface is administratively disabled.-Hardware-Down: Interface is nonfunctional or incorrectly connected.-Link-Layer-Down: Interface keepalives indicate that the link is incomplete.-No-Multicast: Interface does not support multicast traffic.-Point-To-Point: Interface is point to point.-Promiscuous: Interface is in promiscuous mode and sees frames addressed to all physical addresses.-Recv-All-Multicasts: No multicast filtering (multicast promiscuous).-SNMP-Traps: SNMP traps are enabled.-Up: Interface is enabled and operational.The operational status of the device’s link layer protocol is also indicated with flags. These flags include the following:-Give-Up: Link protocol does not continue to retry to connect after repeated failures.-Keepalives: Link protocol keepalives are enabled.-Loose-LCP: PPP does not use LCP to indicate whether the link protocol is up.-Loose-LMI: Frame Relay will not use LMI to indicate whether the link protocol is up.-Loose-NCP: PPP does not use NCP to indicate whether the device is up.-No-Keepalives: Link protocol keepalives are disabled.The output also summarizes the device-level traffic load, which is displayed in both bits and packets per second, as well as any alarms that might be active. The final portion of the command output displays the configuration and status of each logical unit defined on that deviceV1.0, 02/15/08 -----------------------------------------------------------V1.0, 02/15/08 -----------------------------------------------------------V1.0, 02/15/08 -----------------------------------------------------------Now we look at the show interfaces extensive command. In the output above we have narrowed our output to show the section for traffic statistics, and input and output errors. The following is a list of some of the fields displayed here and a brief explanation of what some of the non-obvious ones mean.Input-Errors: Displays the sum of the incoming frame aborts and frame check sequence (FCS) errors.-Policed discards: Displays the frames that the incoming packet match code discarded because they were not recognized or of interest. Usually, this field reports protocolsthat JUNOS software does not handle, such as Cisco Discovery Protocol(CDP)/Spanning Tree Protocol (STP), or any protocol type JUNOS software does notunderstand. (On an Ethernet network, numerous possibilities exist.) -L3 incompletes: This counter increments when the incoming packet fails Layer 3 (usually IPv4) checks of the header. For example, a frame with less than 20 bytes ofavailable IP header would be discarded, and this counter would increment.-L2 channel errors: This counter increments when the software cannot find a valid logical interface (such as e3-1/2/3.0) for an incoming frame.-L2 mismatch timeouts: Displays the count of malformed or short packets that cause the incoming packet handler to discard the frame as unreadable.-SRAM errors: This counter increments when a hardware error occurs in the SRAM on the PIC. The value in this field should always be 0. If it increments, the PIC ismalfunctioning.Output-HS link CRC errors: Displays the count of errors on the high-speed links between the ASICs responsible for handling the router interfaces.-Carrier transitions: Displays the number of times the interface has gone from down to up. This number should not increment quickly, increasing only when the cable isunplugged, the far-end system is powered down and up, or a similar problem occurs.If it does increment quickly (perhaps every 10 seconds), then either the transmission line, the far-end system, or the PIC is broken.-Errors: Displays the sum of the outgoing frame aborts and FCS errors.-Drops: Displays the number of packets dropped by the output queue of the I/O Manager ASIC. If the interface is saturated, this number increments once for everypacket that is dropped by the ASIC’s RED mechanism.-Aged packets: Displays the number of packets that remained in shared packet SDRAM for so long that the system automatically purged them. The value in this field shouldnever increment. If it does, it is most likely a software bug or possibly malfunctioning hardware.V1.0, 02/15/08 -----------------------------------------------------------Lab 7-3 ProtocolsThe first protocol that we configured in our labs was OSPF. Lets take a look at some outputs that will help us determine the overall health of OSPF. In doing this we will look to see if the interfaces are configured for OSPF, if we are seeing adjacencies, and if we are learning our routes.V1.0, 02/15/08 -----------------------------------------------------------The show ospf route command display those routes in the unicast routing table, inet.0, that were installed by OSPF. The use of additional keywords allows you to display only OSPF routes learned by specific LSA types. The output fields of the show ospf route command are the following:-Prefix: Displays the destination of the route.-Route/Path Type: Displays how the route was learned:-ABR: Route to area border router;-ASBR: Route to AS border router;-Ext: External router;-Inter: Interarea route;-Intra: Intra-area route; or-Network: Network router.-Metric: Displays the route's metric value.-Next hop i/f: Displays the interface through which the route's next hop is reachable.-Next hop addr: Displays the address of the next hop.-area: (detail output only) Displays the area ID of the route.-options: (detail output only) Displays the option bits from the LSA.-origin: (detail output only) Displays the router from which the route was learned.V1.0, 02/15/08 -----------------------------------------------------------The show ospf interface command displays information relating to the interfaces on which the respective protocol is configured to run. In the case of OSPF, the output fields are the following:-Interface: Displays the name of the interface running OSPF.-State: Displays the state of the interface. It can be BDR, Down, DR, DRother, Loop, PtToPt, or Waiting.-Area: Displays the number of the area in which the interface is located.-DR ID: Displays the address of the area's DR.-BDR ID: Displays the BDR for a particular subnet.-Nbrs: Displays the number of neighbors on this interface.V1.0, 02/15/08 ------------------------------------------------------------Type (detail and extensive output only): Displays the type of interface. It can be LAN, NBMA, P2MP, P2P, or Virtual.-Address (detail and extensive output only): Displays the IP address of the neighbor.-Mask (detail and extensive output only): Displays the mask of the interface.-MTU (detail and extensive output only): Displays the interface's MTU.-Cost (detail and extensive output only): Displays the interface's cost (metric).-DR addr (detail and extensive output only): Displays the address of the DR.-BDR addr: Displays the address of the BDR.-Adj count (detail and extensive output only): Displays the number of adjacent neighbors.-Flood list (extensive output only): Displays the list of LSAs pending flood on this interface.-Ack list (extensive output only): Displays the list of pending acknowledgments on this interface.-Descriptor list (extensive output only): Displays the list of packet descriptors.-Dead (detail and extensive output only): Displays the configured value for the dead timer.-Hello (detail and extensive output only): Displays the configured value for the hello timer.-ReXmit (detail and extensive output only): Displays the configured value for the retransmit timer.-OSPF area type (detail and extensive output only): Displays the type of OSPF area, which can be Stub, Not Stub, or NSSA.V1.0, 02/15/08 -----------------------------------------------------------Next we can check to see if the interfaces we have configured for OSPF are forming adjacencies. The show ospf neighbor command displays adjacency status for their respective protocols. In the case of OSPF, the output fields include the following: -Address: Displays the address of the neighbor.-Intf: Displays the interface through which the neighbor is reachable.-State: Displays the state of the neighbor, which can be Attempt, Down, Exchange, ExStart, Full, Init, Loading, or 2Way.-ID: Displays the RID of the neighbor.-Pri: Displays the priority of the neighbor to become the DR.-Dead: Displays the number of seconds until the neighbor becomes unreachable.-area (detail and extensive output only): Displays the area in which the neighbor is located.-opt (detail and extensive output only): Displays the option bits from the neighbor.-DR (detail and extensive output only): Displays the address of the DR.-BDR (detail and extensive output only): Displays the address of the BDR.-Up (detail and extensive output only): Displays the length of time since the neighbor came up.-adjacent (detail and extensive output only): Displays the length of time since the adjacency with the neighbor was established.V1.0, 02/15/08 -----------------------------------------------------------Now that we have taken a look at OSPF, let’s take a brief look at some of the commands we can use to verify operation of the RIP protocol.This output displays information about RIP neighbors. This is a list of the fields and what they mean.-Neighbor: Name of RIP neighbor.-State: State of the connection: Up or Dn (Down).-Source Address: Source Address.-Destination Address: Destination Address.-Send Mode: Send options: broadcast, multicast, none, or version 1.-Receive Mode: Type of packets to accept: both, none, version1 or version2.-In Met: Metric added to incoming routes when advertising into RIP routes that were learned from other protocols.V1.0, 02/15/08 -----------------------------------------------------------This output above displays the route entries in the routing table that were learned from protocols RIP. A description of some of the fields follows.-active: Number of routes that are active.-holddown: Number of routes that are in the hold-down state prior to being declared inactive.-hidden: Number of routes not used because of routing policy.-+: A plus sign before [protocol/preference] indicates the active route, which is the route installed from the routing table into the forwarding table.--: A hyphen before [protocol/preference] indicates the last active route.-*: An asterisk before [protocol/preference] indicates that the route is both the active and the last active route. An asterisk before a ‘to’ line indicates the best subpath to the route.V1.0, 02/15/08 -----------------------------------------------------------To see what RIP routes are being sent or received on the router issue the show route advertising-protocol rip<egress interface address> and show route receive-protocol rip<remote advertising interface address> commands. The field definitions follow:-active: Number of routes that are active.-holddown: Number of routes that are in the hold-down state prior to being declared inactive.-hidden: Number of routes not used because of routing policy.-+: A plus sign before [protocol/preference] indicates the active route, which is the route installed from the routing table into the forwarding table.--: A hyphen before [protocol/preference] indicates the last active route.-*: An asterisk before [protocol/preference] indicates that the route is both the active and the last active route. An asterisk before a ‘to’ line indicates the best subpath to theroute.V1.0, 02/15/08 -----------------------------------------------------------Lab 7-4 PolicyWhen troubleshooting policy two of the most common commands are show route receive-protocol and show route advertising-protocol. When issuing these commands it’s important to understand where we are getting the outputs from. The commands on the slide show routing updates received before import policy processing and the routing updates sent after export policy processing.Use the show route receive-protocol protocol neighbor command to show the specified protocol-type route advertisements that a particular neighbor is advertising to your router before import policy is applied. Use the show route advertising-protocol protocolneighbor command to show the protocol-type route advertisements that you are advertising to a particular neighbor after export policy is applied.The use of route filters marks an exception to the behavior documented previously. JUNOS software evaluates route filters before the output of a show route receive-protocol command is generated. Thus, you must specify the hidden switch to the show routereceive-protocol command to display received routes filtered by your import policy.If you want to monitor the effects of an import policy, use the show route protocol protocol command to monitor the effects of your import policy. This command shows all routes from the protocol type specified that are installed in the routing table.Another way we can troubleshoot policy is to use the function test policy <policy name><prefix>. By using this command you can test policies that are created (and committed) on the router for a specific prefix to see if the policy will have the desired effect on the prefix being tested.V1.0, 02/15/08 -----------------------------------------------------------V1.0, 02/15/08 -----------------------------------------------------------It is important to keep in mind that the default action of ‘test’ is to accept. Note the difference in behavior once we add a second term catch-all to reject any remaining routes.V1.0, 02/15/08 -----------------------------------------------------------Lab 7-5 Stateless Firewall Filters (Packet Filters)One of the more common ways to test firewall filters is to set up counters to capture discarded and accepted packets. If we see packets increment in the discard counter then we can at least be assured that our filter is applied and that packets are matching. Please recall that in a previous lab we used a firewall filter to match on ICMP and a counter to show that it was working correctly. The following command, show firewall, shows the counter we created and the amount of traffic that has been matched it.-----------------------------------------------------------V1.0, 02/15/08 -----------------------------------------------------------Another method for troubleshooting is to look at the firewall log created specially for dropped packets due to firewall match criteria. The log modifier writes packet header information to a memory resident buffer in the PFEV1.0, 02/15/08 -----------------------------------------------------------The following chart shows the output field definitions:Time of Log Time that the event occurred. to be providedFilter Name of a filter that has been configured with the filterstatement at the [edit firewall] hierarchy level.• A hyphen (-) indicates that the packet was handled bythe Packet Forwarding Engine.• A space (no hyphen) indicates the packet was handledby the Routing Engine.•The notation pfe indicates packets logged by thePacket Forwarding Engine hardware filters.to beprovidedFilter Action Filter action:•A—Accept•D—Discard•R—Rejectto beprovidedName of Interface Ingress interface for the packet.to beprovidedName of protocol Packet's protocol name: egp, gre, ipip, ospf, pim, rsvp, tcp, orudp.to beprovidedPacket length Length of the packet. to be providedSource address Packet's source address. to be providedDestination address Packet's destination address and port.to beprovidedV1.0, 02/15/08 -----------------------------------------------------------Finally one more way to look at the results of our firewall filters is to create a system log file that matches on the packets that have been dropped as a result of the firewall applied to the router. First of all, take a look at the system syslog settings that allow us to analyze the log filesThen as part of the firewall filter, we include the action of syslog:V1.0, 02/15/08 -----------------------------------------------------------Finally, we can now take a look at the log files created as a result of our work:In this section we will see a couple outputs that give us useful information on stateful firewalls, zones, and interfaces that participate. One thing to keep in mind is that the output for flows shows up only if traffic has passed within a certain amount of time. This means that even though your configuration may be correct, the output may not show incrementing valueswithout traffic.V1.0, 02/15/08 -----------------------------------------------------------This output is shown to let you see that with JES configured on your router, a showinterfaces output references the zones assigned to the logical portion of your interface. This can be helpful when determining if your zones have been applied correctly and give you some basic information as to the amount and type of traffic being allowed to traverse your interface.V1.0, 02/15/08 -----------------------------------------------------------Conversely, if you would rather take a look at the zones configured on your router, the show security zones output will show you the zones configured as well as the interfaces associated with these zones. Additional information can be found here that let’s us know any settings we have for the return traffic. For instance, if we have decided to send a reset for non-SYN session TCP packets, this information would be shown under the security zone section of this output.V1.0, 02/15/08 -----------------------------------------------------------The output above summarizes all of the active sessions that have been created.V1.0, 02/15/08 -----------------------------------------------------------From time to time it may become necessary to clear flows on your router, the output above shows this. You also have the ability to clear specific sessions with the session identifier.V1.0, 02/15/08 -----------------------------------------------------------Lab 7-7 Screen OptionsFor the lab and objective assignments, sending ping packets that are obviously too large and then monitoring the command show security screen statistics zone <zone name> should give us an indication of whether or not our configuration will account for the specific type of attack we are mitigating. Because this output has all ready been seen in module 6, the output above may look a bit familiar. ☺。

汤姆一通互联网技术训练中心 JUNIPER-JINCIE-产品手册A 部分：Juniper(M/T)系列认证培训服务 ..................................................................................... 2 A.1 收费标准............................................................................................................................ 2 A.2 JNCIE 认证培训服务 ........................................................................................................ 3 A.2.1 JNCIE 快速考证指导 ............................................................................................ 3 A.2.2 JNCIE 课程学习及考证指导(在线) .................................................................... 4 A.2.3 JNCIE 课程学习及考证指导(现场学习) ............................................................ 5 A.2.4 JNCIE 认证学习体验 ............................................................................................ 6 B 部分：Juniper(M/T)系列认证体系详解 .................................................................................... 7 B.1 M 系列及 T 系列认证系列课程 ........................................................................................ 7 B.1.1 JNCIS-M................................................................................................................. 7 B.1.2 JNCIP-M................................................................................................................. 8 B.1.3 JNCIE-M................................................................................................................. 8 C 部分：JNCIE 课程内容及安排 ..................................................................................................... 9 C.1 试地点....................................................................................................................... 9 C.1.2 课程内容及学习安排 .......................................................................................... 10 D 部分：培训常见问题解答 ......................................................................................................... 10 E 部分：Juniper 的发展 ............................................................................................................... 11 E.1 Juniper 中国发展历程 .................................................................................................. 11 E.2 全球领先的联网及安全方案供应商 .............................................................................. 12 E.3 Juniper 的产品.............................................................................................................. 12 E.3.1 网络基础设施平台 .............................................................................................. 12 E.3.2 网络安全解决方案 .............................................................................................. 13 E.3.3 应用加速解决方案 .............................................................................................. 131汤姆一通互联网技术训练中心 A 部分：Juniper(M/T)系列认证培训服务A.1 收费标准2汤姆一通互联网技术训练中心 A.2 JNCIE 认证培训服务 A.2.1 JNCIE 快速考证指导3汤姆一通互联网技术训练中心 A.2.2 JNCIE 课程学习及考证指导(在线)4汤姆一通互联网技术训练中心 A.2.3 JNCIE 课程学习及考证指导(现场学习)5汤姆一通互联网技术训练中心 A.2.4 JNCIE 认证学习体验6汤姆一通互联网技术训练中心 B 部分：Juniper(M/T)系列认证体系详解B.1 M 系列及 T 系列认证系列课程Juniper 网络公司技术认证计划（JNTCP）M 系列及 T 系列认证系列课程是多级认证课程，考 生可通过笔试、 动手配置和故障排除考试相结合的形式来证明自己具备 Juniper 网络公司技 术方面的能力。

JUNOS Lab GuideV1.0, 02/15/08-----------------------------------------------------------Juniper Networks Security Products GroupJunOS Enhanced Services Version 1.0a Student Lab GuideJUNOS Lab Guide (Section 1) E-VRC-00xx-ER-08-A01 Juniper Networks, Inc. Page 1-1JUNOS Lab GuideV1.0, 02/15/08----------------------------------------------------------Lab 1: Product Sales/Positioning Overview Background:The locally popular Willson’s Sports Equipment Company is opening a larger office. The company is emerging from a modest storefront location selling a large variety of equipment while also offering an assortment of their own professional training and clothing. They have a website with an online store that is managed by a neighborhood whiz-kid and hosted by a local provider. The new office will have several computers requiring Internet access.Primary Topics:Enterprise router platforms Describe Juniper Networks platforms targeted at the customer edge and enterprise markets Describe the design architecture of Juniper Networks routers List model Specifics JES architecture and advantages Show the leverage of JunOS Show the Leverage of ScreeOS security Packet Flow Show the flow of a packet using the flow module JunOS vs. JES Compare the differences of JunOS and JES--JUNOS Lab Guide (Section 1) E-VRC-00xx-ER-08-A01 Juniper Networks, Inc. Page 1-2JUNOS Lab GuideV1.0, 02/15/08----------------------------------------------------------Lab 1-1: Enterprise Routing Platforms Customer Edge and Enterprise markets.JunOS Enhanced Services is the first operating system that leverages the distinct strengths of JunOS feature-rich routing software and ScreenOS feature-rich security software. It enables the extension of the flow-based firewall functionalities to the boundaries of branch-office networks, positioning enterprise customers with the unique ability to protect their networks at their boundaries on a single platform, rather than using multiple platforms, allowing malicious traffic into the demilitarized zone (DMZ).JUNOS Lab Guide (Section 1) E-VRC-00xx-ER-08-A01 Juniper Networks, Inc. Page 1-3JUNOS Lab GuideV1.0, 02/15/08----------------------------------------------------------Architecture -Control PlaneJunOS Enhanced Services Control PlaneJunOS Enhanced Services deploys a combination of JunOS software and some features of ScreenOS software for its control plane, including the network security daemon (NSD), the VPN daemon, the authentication daemon, and a Dynamic Host Configuration Protocol (DHCP) client/server/relay. The network security daemon includes policy-based packet forwarding, interfaces and security zones interrelationship, the ability to perform NAT, and so on.JUNOS Lab Guide (Section 1) E-VRC-00xx-ER-08-A01 Juniper Networks, Inc. Page 1-4JUNOS Lab GuideV1.0, 02/15/08----------------------------------------------------------Architecture -Data or Forwarding PlaneJunOS Enhanced Services Data PlaneThe JunOS Enhanced Services data plane consists of JunOS packet handling modules compounded with a ScreenOS-like flow engine and session management. Intelligent packet processing ensures that one single thread exists for packet flow processing associated with a single flow. Real-time daemons enable JunOS Enhanced Services software to perform flowbased packet forwarding.JUNOS Lab Guide (Section 1) E-VRC-00xx-ER-08-A01 Juniper Networks, Inc. Page 1-5JUNOS Lab GuideV1.0, 02/15/08----------------------------------------------------------Model SpecificsJunOS Enhanced Services software runs on J-series routers, including the J6350, J4350, J2320, and J2350 platforms.JUNOS Lab Guide (Section 1) E-VRC-00xx-ER-08-A01 Juniper Networks, Inc. Page 1-6JUNOS Lab GuideV1.0, 02/15/08----------------------------------------------------------Lab 1-2: Architecture Approach and AdvantagesThe approach used in J-series routers is multifold. It consists of maintaining control and data planes separation and leveraging the industry-proven JunOS software. J-series routers, unlike the M-series and the T-series routers do not depend on specialized application-specific integrated circuit (ASIC) hardware to implement their main forwarding functionality. J-series routers maintain predictable forwarding performance by using a real-time operating system, which ensures that packet forwarding processes are given the highest priority level. The Tseries router maintains this forwarding performance even when you enable services. J-series devices deploy the existing RE code used on the M/T-series routers, which includes the deployment of the existing daemons, and layer 2 protocols, and support for interfaces types such as ISDN, E1, T1, T3, and Ethernet. This simplifies and accelerates the software development of new features.Strengths taken from JunOS:1. 2. 3. 4. 5. Modular architecture Clear separation of control and Data plane From the J series: Layer 2 Protocols Interfaces: ISDN, E1, T1, T3, Ethernet, etc JunOS CLI: hierarchical, 2-phase commitJunOS Enhanced Services leverages the strength of the JunOS control plane, thereby benefitting from a full suite of JunOS features. The features include an XML-based management interface, industry-proven routing and network management protocols, qualityof-service (QoS) features, the Multilink Point-to-Point Protocol (MLPPP), stateless packet filtering, and so on.Strengths taken from Screen OS:1. 2. 3. Flow based forwarding Framework for security around zones and policy Features around NAT, VPN, Screens, …JunOS Enhanced Services leverages a strong security portfolio from ScreenOS software. That portfolio includes flow-based routing, a concept of security zones, and simpler configurations of stateful firewall, NAT, and secure tunnels (that is, IPSec).JUNOS Lab Guide (Section 1) E-VRC-00xx-ER-08-A01 Juniper Networks, Inc. Page 1-7JUNOS Lab GuideV1.0, 02/15/08----------------------------------------------------------Lab 1-3: Packet Flow When a packet enters the device’s interface, the system queues the packet, if necessary. If the ingress interface has an input filter, the packet transits the input filter. Note that the applied input filter is stateless (that is, packet based) and not flow based. If the ingress interface has an input policer, the packet transits the input policer. Again, note that the applied policer is packet based, not flow based. Next, the packet transits the ScreenOS-like flow module, which includes session management and the mapping and unmapping of a packet format to a session. The pre-created session includes forwarding lookup information, which is where the system maintains the egress interface and encapsulation data.JUNOS Lab Guide (Section 1) E-VRC-00xx-ER-08-A01 Juniper Networks, Inc. Page 1-8JUNOS Lab GuideV1.0, 02/15/08---------------------------------------------------------- If the packet matches a session, all the packets of a flow first and consecutive use the Fast Path to process the packet forwarding. Once the packet is forwarded to the egress interface and the interface has an output filter, the system applies the filter to the packet. Similar to the ingress directions, the output filter is stateless (that is, packet based). If the egress interface has an output shaper, the system applies the shaper to the packet. The output shaper is packet based, not flow based. Now the packet is ready for Layer 2 encapsulation; finally, the packet enters an output queue, if necessary. If a packet does not match a session, it is checked to see if any gates have been created that can be referenced for session creation. A gate is a logical representation of a policy decision that has been installed on the device. This typically involves parameters such as the protocol and application used as well as the age, incoming zones and source and destination addresses and ports. If a gate exists, the information from the gate is used to create a session and then all the packets of a flow first and consecutive use the Fast Path to process the packet forwarding. If a gate does not exist, the packet is matched against any policies that may have been written for it. If the resulting action of this policy does not allow the packet to continue it is discarded. If the policy allows the packet to continue, or if policy is not specifically written for the packet, it is matched against a route lookup. If a route exists for the packet it is passed on to the next step, otherwise it is discarded. Next we see if any services will require an ALG (Application Level Gateway). If they do, we will inspect the packets’ IP/port, NAT or other match criteria based on the application and assign a gate to match. Whether the service does not require an ALG, or if we created a gate for the ALG, the next step is to create the session. We create this session based on routing policies etc and then implement session management parameters such as the session hash table and we give the session a default timeout. If the session becomes stale (not used in the time allotted by the default timeout), resources are released for further use. Finally, all the packets of a flow first and consecutive use the Fast Path to process the packet forwarding JUNOS Lab Guide (Section 1) E-VRC-00xx-ER-08-A01 Juniper Networks, Inc. Page 1-9JUNOS Lab GuideV1.0, 02/15/08----------------------------------------------------------Lab 1-4: JunOS VS JES JunOS CLI No ‘get’ command, use “show” No “unset command”, use “delete” You must issue a “COMMIT” for configuration changes to be activeInterfaces None of the interfaces are bound to zones by default. Interfaces can have IP addresses without zone assignment Loopback interfaces cannot be used for NAT and VPN configuration No Manage-IP configurationZones No default zones existIPSec No ‘compatible’ proposal for P1 and P2 Tunnel interface “tunnel.x” is secure tunnel interface “st0.x” Huge differences in debuggingSystem limits No artificial limit on configured VPN’s, address book entries, policies etc. Good for dynamic configurations Bad to determine overall system capacitiesJUNOS Lab Guide (Section 1) E-VRC-00xx-ER-08-A01 Juniper Networks, Inc.Page 1-10。