Aug 28, 2012

Use "request system snapshot" command to BACKUP in SRX

在許多Juniper設備基本操作手冊中都會提到可以使用 'request system snapshot' 指令來備份現有組態及OS,不過在SRX上似乎只能搭配USB使用,不然的話會遇到錯誤訊息如下:

root@SRX1# run request system snapshot
error: usb (/dev/da1) media missing or invalid

好吧 來試試看,插入USB隨身碟之後再試試看:

[edit]
root@SRX1# umass1: Unigen Corporation PQS1000B1, rev 2.00/11.00, addr 4
da1 at umass-sim1 bus 1 target 0 lun 0
da1: Removable Direct Access SCSI-0 device 
da1: 40.000MB/s transfers
da1: 980MB (2007040 512 byte sectors: 64H 32S/T 980C)

[edit]
root@SRX1# run request system snapshot  
WARNING: Recovery partition was not found on source media, creating now...
Clearing current label...
Partitioning usb media (/dev/da1) ...
error: Not enough space to copy /altroot (/dev/da1s1a) partition.

...殘念 空間不足...再試試看用2G USB,終於成功!


umass1: vendor 0x0930 USB Flash Memory, rev 2.00/1.00, addr 4
da1 at umass-sim1 bus 1 target 0 lun 0
da1: < USB Flash Memory 1.00> Removable Direct Access SCSI-2 device 
da1: 40.000MB/s transfers
da1: 1909MB (3911616 512 byte sectors: 255H 63S/T 243C)


root@SRX1# run request system snapshot    
Clearing current label...
Partitioning usb media (/dev/da1) ...
Partitions on snapshot:

  Partition  Mountpoint  Size    Snapshot argument
      s1a    /altroot    579M    none
      s2a    /           587M    none
      s3e    /config     38M     none
      s3f    /var        594M    none
      s4a    /recovery/software 64M none
      s4e    /recovery/state 4.7M none
Copying '/dev/da0s1a' to '/dev/da1s1a' .. (this may take a few minutes)
Copying '/dev/da0s2a' to '/dev/da1s2a' .. (this may take a few minutes)
Copying '/dev/da0s3e' to '/dev/da1s3e' .. (this may take a few minutes)
Copying '/dev/da0s3f' to '/dev/da1s3f' .. (this may take a few minutes)
Copying '/dev/da0s4e' to '/dev/da1s4e' .. (this may take a few minutes)
Copying '/dev/da0s4a' to '/dev/da1s4a' .. (this may take a few minutes)
The following filesystems were archived: /altroot / /config /var /recovery/state /recovery/software

root@SRX1# run show system snapshot
Information for snapshot on       usb (/dev/da1s1a) (backup)
Creation date: Aug 28 12:18:19 2012
JUNOS version on snapshot:
  junos  : 10.4R6.5-domestic
Information for snapshot on       usb (/dev/da1s2a) (primary)
Creation date: Aug 28 12:19:53 2012
JUNOS version on snapshot:
  junos  : 12.1R1.9-domestic

如果想要用GUI的話,可以參考這篇文章:

Configuring a Boot Device for Backup with the J-Web Interface


http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-admin-guide/configure-boot-devices.html


Aug 17, 2012

Juniper SSG5 利用 USB 昇級程序說明

在Juniper SSG5的背板有一個USB插槽,可以讓你在沒有網路連線能力下直接昇級,以下是詳細的過程說明:


1. 先在你的電腦上把取得的SSG firmware解壓縮,因為從網站上下載的通常是壓縮檔(.zip),你必須先解壓縮成原始firmware檔案,通常沒有副檔名。
EX: 我從網站上下載的檔案名稱是 "ssg5ssg20.6.3.0r10.0.zip",解壓縮之後的檔名是 "ssg5ssg20.6.3.0r10.0"
2. 然後直接把它複製到USB隨身碟中,再插到SSG5背板的USB插槽中。在SSG console畫面中會看到相關的提示如下:


ssg5-serial-> 
Unigen Corporation PQS1000B1, rev 2.00/11.00, addr 2, SCSI over Bulk-Only

Mount usb device. Please wait...
usb device (usb) ready.

ssg5-serial-> 


3. 檢查一下原有SSG的版本號碼:


ssg5-serial-> get system
Product Name: SSG5-Serial
Serial Number: 0162072011007638, Control Number: 00000000
Hardware Version: 0710(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Flash Type: Samsung
Software Version: 6.3.0r9.0, Type: Firewall+VPN
Feature: AV-K
BOOT Loader Version: 1.3.2
Compiled by build_master at: Fri Sep 9 04:22:38 PDT 2011
Base Mac: 88e0.f302.5ec0
File Name: screenos_image, Checksum: cd7dfcdf
, Total Memory: 256MB

Date 01/15/2002 03:02:54, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 86 hours 5 minutes 41 seconds Since 11Jan2002:12:57:13
Total Device Resets: 1, Last Device Reset at: 10/01/2001 04:04:34

System in NAT/route mode.
ssg5-serial-> get syste
Product Name: SSG5-Serial
Serial Number: 0162072011007638, Control Number: 00000000
Hardware Version: 0710(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Flash Type: Samsung
Software Version: 6.3.0r9.0, Type: Firewall+VPN
Feature: AV-K
BOOT Loader Version: 1.3.2
Compiled by build_master at: Fri Sep 9 04:22:38 PDT 2011
Base Mac: 88e0.f302.5ec0
File Name: screenos_image, Checksum: cd7dfcdf
, Total Memory: 256MB

Date 01/15/2002 03:02:54, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 86 hours 5 minutes 41 seconds Since 11Jan2002:12:57:13
Total Device Resets: 1, Last Device Reset at: 10/01/2001 04:04:34

System in NAT/route mode.


4. 檢查一下SSG上的Flash及USB的檔案清單:


ssg5-serial-> get file 
    flash:/crashdump.dmp                32768
    flash:/burnin_log3                  20480
    flash:/burnin_log2                  20480
    flash:/burnin_log1                  20480
    flash:/burnin_log0                  20480
    flash:/pkidatabase.digest              20
    flash:/prngseed.bin                    32
    flash:/envar.rec                       94
    flash:/ns_sys_config                 1541
    flash:/ns_sys_cfg.sig                  20
    flash:/dhcpservl.txt                   68
    flash:/$lkg$.cfg                     1441

USB flash device :
    usb:/ssg5ssg20.6.3.0r10.0        13327280

5. 開始進行昇級動作:

ssg5-serial-> save software from usb ssg5ssg20.6.3.0r10.0 to flash
It will replace current image file with usb image ssg5ssg20.6.3.0r10.0.
Do you want to continue... y/[n] y
Load image from usb to flash: ssg5ssg20.6.3.0r10.0.

Read .........................................
Save to flash. It may take a few minutes ...
platform = 25, cpu = 12, version = 18
 update new flash image (029b29e0,13327280)
platform = 25, cpu = 12, version = 18
offset = 20, address = 5800000, size = 13327201
date = 1d84, sw_version = 31808000, cksum = 2deb1e58
Image authenticated!
Program flash (13327280 bytes) ...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++done



6. 昇級完成之後,將USB安全移除:

ssg5-serial-> exec usb-device stop
The "USB Mass Storage Device"can now be safely removed from system

7. 將SSG5重置:

ssg5-serial-> reset
Configuration modified, save? [y]/n 
Save System Configuration  ... 
Done
System reset, are you sure? y/[n] n
ssg5-serial-> 
ssg5-serial-> 
ssg5-serial-> 
ssg5-serial-> 
ssg5-serial-> 
ssg5-serial-> reset
System reset, are you sure? y/[n] y
In reset ...


Juniper Networks SSG5 Boot Loader Version 1.3.2 (Checksum: A1EAB858)
Copyright (c) 1997-2006 Juniper Networks, Inc.

Total physical memory: 256MB
    Test - Pass
    Initialization - Done

Hit any key to run loader
Hit any key to run loader
Hit any key to run loader
Hit any key to run loader

Loading default system image from on-board flash disk...
Done! (size = 13,336,576 bytes)

Image authenticated!

Start loading...
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................................................................
.................
Done.



Juniper Networks, Inc
SSG5/SSG20 System Software
Copyright, 1997-2008

Version 6.3.0r10.0
Cksum:4d5343a4
Load Manufacture Information ... Done

Initialize FBTL 0........ Done
Load NVRAM Information ... (6.3.0)Done
Install module init vectors
IPv6 is enabled
Changed to l3 mode
Initializing IPv6
Install modules (01264800,01fb4000) ... 
PPP IP-POOL initiated, 256 pools

Initializing DI 1.1.0-ns

System config (1555 bytes) loaded

Done.
Load System Configuration .............................................................................modem is not detected
....................................Disabled licensekey auto update
....................Done
system init done..


8. 重新登入SSG,檢查版本號碼是否正確,到此即已大功告成!

login: netscreen
password: 
ssg5-serial-> get system 
Product Name: SSG5-Serial
Serial Number: 0162072011007638, Control Number: 00000000
Hardware Version: 0710(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Flash Type: Samsung
Software Version: 6.3.0r10.0, Type: Firewall+VPN
Feature: AV-K
BOOT Loader Version: 1.3.2
Compiled by build_master at: Sun Dec 4 19:38:35 PST 2011
Base Mac: 88e0.f302.5ec0
File Name: ssg5ssg20.6.3.0r10.0, Checksum: 4d5343a4
, Total Memory: 256MB

Date 01/15/2002 03:34:45, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 0 hours 1 minutes 43 seconds Since 15Jan2002:03:33:02
Total Device Resets: 1, Last Device Reset at: 10/01/2001 04:04:34

System in NAT/route mode.

Aug 16, 2012

Juniper Branch SRX Autoinstall USB製作方法

有時候想偷懶,懶得用FTP把JUNOS上傳到Branch SRX(SRX100/SRX200...)上;或是在機房裏真的忘了某一台設備的IP,懶得再走回座位去查,如果可以像以前M/T-Series直接用USB昇級JUNOS的話就可以省去許多的麻煩。

我以前曾經在JUNOS 10.2上嘗試過許多次都不成功,後來看到Juniper Learning Portal的教學才知道原來跟SRX本身的版本也有關係,至少要10.4以上才能支援USB自動昇級的功能。

步驟如下:

1. 先拿個USB隨身碟格式化成FAT/FAT32格式
2. 將要昇級的JUNOS版本(我是用複製到USB隨身碟中根目錄下
3. 執行這個指令
C:\> echo "">[USB隨身碟的磁碟代號]:\autoinstall.conf
EX: 我的USB隨身碟是F Drive,所以我的指令是
C:\> echo "">F:\autoinstall.conf
4. 把USB隨身碟插到SRX的USB slot中,接著稍待片刻讓SRX偵測到USB
以下是我現有的版本 
[edit]
root# run show version
Model: srx100h
JUNOS Software Release [10.4R6.5]


當你插入USB時,Console會出現類似以下的提示 
[edit]
root# umass1: Unigen Corporation PQS1000B1, rev 2.00/11.00, addr 4
da1 at umass-sim1 bus 1 target 0 lun 0
da1: Removable Direct Access SCSI-0 device
da1: 40.000MB/s transfers
da1: 980MB (2007040 512 byte sectors: 64H 32S/T 980C)
FSTYPE = 11...(omit)
 


5. 直接按下SRX的RESET CONFIG按鈕(注意不要按錯POWER按鈕)

6. 接下來所有的燈號都會變橙色燈號,然後就開始自動進行昇級動作;昇級完成會自動重新開機,開機完成後重新登入就看到新版本的JUNOS了!


Installing package '/altroot/cf/packages/install-tmp/junos-12.1R1.9-domestic' ... 
Verified junos-boot-srxsme-12.1R1.9.tgz signed by PackageProduction_12_1_0
Verified junos-srxsme-12.1R1.9-domestic signed by PackageProduction_12_1_0
JUNOS 12.1R1.9 will become active at next reboot
WARNING: A reboot is required to load this software correctly
WARNING:     Use the 'request system reboot' command
WARNING:         when software installation is complete
Saving state for rollback ... 

Terminated
AWaiting (max 60 seconds) for system process `vnlru' to stop...done
Waiting (max 60 seconds) for system process `vnlru_mem' to stop...done
Waiting (max 60 seconds) for system process `bufdaemon' to stop...done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining...0 0 0 done

syncing disks... All buffers synced.
Uptime: 19m29s
Rebooting...
cpu_reset: Stopping other CPUs


U-Boot 1.1.6-JNPR-2.0 (Build time: Nov 17 2010 - 07:04:52)

SRX_100_HIGHMEM board revision major:0, minor:0, serial #: AT4411AF1158
OCTEON CN5020-SCP pass 1.1, Core clock: 500 MHz, DDR clock: 266 MHz (532 Mhz data rate)
DRAM:  1024 MB
Starting Memory POST... 
Checking datalines... OK
Checking address lines... OK
Checking 512K memory for U-Boot... OK.
Running U-Boot CRC Test... OK.
Flash:  4 MB
USB:   scanning bus for devices... 4 USB Device(s) found
       scanning bus for storage devices... 2 Storage Device(s) found
Clearing DRAM........ done
BIST check passed.
Boot Media: nand-flash usb 
Net:   pic init done (err = 0)octeth0
POST Passed
Press SPACE to abort autoboot in 1 seconds
ELF file is 32 bit
Loading .text @ 0x8f000078 (244960 bytes)
Loading .rodata @ 0x8f03bd58 (13940 bytes)
Loading .rodata.str1.4 @ 0x8f03f3cc (16648 bytes)
Loading set_Xcommand_set @ 0x8f0434d4 (100 bytes)
Loading .rodata.cst4 @ 0x8f043538 (20 bytes)
Loading .data @ 0x8f044000 (5608 bytes)
Loading .data.rel.ro @ 0x8f0455e8 (120 bytes)
Loading .data.rel @ 0x8f045660 (136 bytes)
Clearing .bss @ 0x8f0456e8 (11656 bytes)
## Starting application at 0x8f000078 ...
Consoles: U-Boot console  
Found compatible API, ver. 2.0

FreeBSD/MIPS U-Boot bootstrap loader, Revision 2.0
(builder@warth.juniper.net, Wed Nov 17 07:07:32 UTC 2010)
Memory: 1024MB
[0]Booting from nand-flash slice 2
Un-Protected 1 sectors
writing to flash...
Protected 1 sectors
Loading /boot/defaults/loader.conf 
/kernel data=0xae0e24+0x133964 syms=[0x4+0x89cb0+0x4+0xc7a56]


Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [/kernel]...               
Kernel entry at 0x801000d8 ...
init regular console
Primary ICache: Sets 64 Size 128 Asso 4
Primary DCache: Sets 1 Size 128 Asso 64
Secondary DCache: Sets 128 Size 128 Asso 8
GDB: debug ports: uart
GDB: current port: uart
KDB: debugger backends: ddb gdb
KDB: current backend: ddb
Copyright (c) 1996-2012, Juniper Networks, Inc.
All rights reserved.
Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
JUNOS 12.1R1.9 #0: 2012-03-24 12:12:49 UTC
    builder@greteth:/volume/build/junos/12.1/release/12.1R1.9/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel
JUNOS 12.1R1.9 #0: 2012-03-24 12:12:49 UTC
    builder@greteth:/volume/build/junos/12.1/release/12.1R1.9/obj-octeon/junos/bsd/kernels/JSRXNLE/kernel
real memory  = 1073741824 (1024MB)
avail memory = 526438400 (502MB)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
Security policy loaded: JUNOS MAC/pcap (mac_pcap)
netisr_init: !debug_mpsafenet, forcing maxthreads from 2 to 1
cpu0 on motherboard
: CAVIUM's OCTEON 5020 CPU Rev. 0.1 with no FPU implemented
        L1 Cache: I size 32kb(128 line), D size 8kb(128 line), sixty four way.
        L2 Cache: Size 128kb, 8 way
obio0 on motherboard
uart0: on obio0
uart0: console (9600,n,8,1)
twsi0 on obio0
dwc0: on obio0
usb0: on dwc0
usb0: USB revision 2.0
uhub0: vendor 0x0000 DWC OTG root hub, class 9/0, rev 2.00/1.00, addr 1
uhub0: 1 port with 1 removable, self powered
uhub1: vendor 0x0409 product 0x005a, class 9/0, rev 2.00/1.00, addr 2
uhub1: single transaction translator
uhub1: 2 ports with 1 removable, self powered
umass0: STMicroelectronics ST72682  High Speed Mode, rev 2.00/2.10, addr 3
umass1: Unigen Corporation PQS1000B1, rev 2.00/11.00, addr 4
pcib0: on obio0
Disabling Octeon big bar support
PCI Status: PCI 32-bit: 0xc041b
pcib0: Initialized controller
pci0: on pcib0
pci0: at device 2.0 (no driver attached)
pci0: at device 2.1 (no driver attached)
pci0: at device 2.2 (no driver attached)
cpld0 on obio0
gblmem0 on obio0
octpkt0: on obio0
cfi0: on obio0
Timecounter "mips" frequency 500000000 Hz quality 0
###PCB Group initialized for udppcbgroup
###PCB Group initialized for tcppcbgroup
da0 at umass-sim0 bus 0 target 0 lun 0
da0: Removable Direct Access SCSI-2 device 
da0: 40.000MB/s transfers
da0: 1000MB (2048000 512 byte sectors: 64H 32S/T 1000C)
da1 at umass-sim1 bus 1 target 0 lun 0
da1: Removable Direct Access SCSI-0 device 
da1: 40.000MB/s transfers
da1: 980MB (2007040 512 byte sectors: 64H 32S/T 980C)
Trying to mount root from ufs:/dev/da0s2a
Attaching /cf/packages/junos via /dev/mdctl...
Mounted junos package on /dev/md0...

Media check on da0
Automatic reboot in progress...
** /dev/da0s2a
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 70188 free (28 frags, 8770 blocks, 0.0% fragmentation)
Verified junos signed by PackageProduction_12_1_0
Verified jboot signed by PackageProduction_12_1_0
Verified junos-12.1R1.9-domestic signed by PackageProduction_12_1_0
** /dev/bo0s3e
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 12426 free (26 frags, 1550 blocks, 0.2% fragmentation)
** /dev/bo0s3f
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 161600 free (112 frags, 20186 blocks, 0.1% fragmentation)
Loading configuration ...
mgd: commit complete
Setting initial options: .
Starting optional daemons:  usbd.
Doing initial network setup:
.
Initial interface configuration:
additional daemons: eventd.
Additional routing options:kern.module_path: /boot//kernel;/boot/modules -> /boot/modules;/modules/ifpfe_drv;kldload: Unsupported file type
/modules;
kld netpfe drv: ifpfed_dialer.
Doing additional network setup:.
Starting final network daemons:.
setting ldconfig path: /usr/lib /opt/lib
starting standard daemons: cron.
Initial rc.mips initialization:.
Local package initialization:.
starting local daemons:.
kern.securelevel: -1 -> 1
Creating JAIL MFS partition...
JAIL MFS partition created
boot.upgrade.uboot="0xBFC00000"
boot.upgrade.loader="0xBFE00000"
Boot media /dev/da0 has dual root support
** /dev/da0s1a
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 40329 free (49 frags, 5035 blocks, 0.0% fragmentation)
Thu Aug 16 16:13:17 UTC 2012

Amnesiac (ttyu0)

login:     
Amnesiac (ttyu0)

login: root
Password:

--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC


7. 大功告成!

 
 

Aug 14, 2012

BGP export(redistribution) policy without "match protocol" in JUNOS

今天在review公司core router時,發現有些BGP export policy有設match protocol,有些沒設,心中突然浮現一個問號?

「沒有設定match protocol可以進行static or connect redistribute to BGP的動作嗎?」

然後開始請教資深的同事們討論,結果大家有不同的認知,有的人認為只要export policy就可以將inet.0中的best route直接宣告給BGP neighbor,有的人認為應該要轉成BGP active route才能宣告給BGP neighbor…


其實這種情況常常發生在JUNOS設定中,因為網路的sample config都是很經典的大同小異,沒有太多的例外狀況可以參考,所以最後二話不說,直接實機演練來確認比較快,這也是我很頭痛的地方,只要沒有測試過Lab的JUNOS指令,我真的不能確定結果為何?(尤其是在不同platform及不同hardware combination的情況下)
  • 先把SRX設定成Packet Mode(很特別的指令 如果我沒上過JSEC的課程,打死也不知道設定packet mode會在這樣的階層下…family mpls你的存在跟packet mode到底有什麼關聯??? 真的很難理解啊!):
security {
    forwarding-options {
        family {
            mpls {
                mode packet-based;
            }
        }
    }
}
  • 再來設定兩個準備被轉成BGP的static & connected route (恕小弟偷懶,其他基本的interface設定就不在此列出)
interfaces {
    lo0 {
        unit 0 {
            family inet {
                address 100.100.100.100/32;
            }
        }
    }
}                                       
routing-options {
    static {
        route 200.200.200.0/24 discard;
    }
}
  • 然後開始設定prefix-list & policy-statement,我不設定match protocol直接利用prefix-list-filter來過濾路由,內容就是前面的loopback interface & static route
policy-options {
    prefix-list LO {
        100.100.100.100/32;
        200.200.200.0/24;
    }
    policy-statement LO_OUT {           
        from {
            prefix-list-filter LO exact;
        }
        then accept;
    }
}

  • 接著我先設定完另一邊的Router BGP(AS200)之後,開始設定本機的BGP相關設定:
routing-options {
    autonomous-system 100;
}
protocols {
    bgp {
        group EBGP {
            type external;
            neighbor 10.1.1.2 {
                export LO_OUT;
                peer-as 200;
            }
        }
    }
}

好了,大功告成後,確定BGP UP再來檢查宣告出去的BGP routes是否有包含static & connected routes:

root@SRX1# run show route advertising-protocol bgp 10.1.1.2 

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 100.100.100.100/32      Self                                    I
* 200.200.200.0/24        Self                                    I

答案揭曉! 真的是不需要特定的match protocol就可以將非BGP routes宣告給BGP neighbor,也就是說如果你想把所有的routes利用BGP轉發只要設定一個空的export policy(then accept)就能達到目的?...對不起,我還沒試過,所以我不敢百分之百肯定,下次有空再試給各位看看~

May 8, 2012

CCNP ROUTE - Opaque LSAs

Type 9, 10, 11 (Opaque LSAs) may be used for distributing application-specific information through an OSPF domain.

  • Type 9 LSAs are not flooded beyond the local network or subnetworks.
    • A link-local "opaque" LSA (defined by RFC2370) in OSPFv2 and the Intra-Area-Prefix LSA in OSPFv3. It is the OSPFv3 LSA that contains prefixes for stub and transit networks in the link-state ID.
  • Type 10 LSAs are not flooded beyond the borders of their associated area.
    • An area-local "opaque" LSA (defined by RFC2370). Opaque LSAs contain information which should be flooded by other routers even if the router is not able to understand the extended information itself. Typically type 10 LSAs are used for traffic engineering extensions to OSPF, flooding extra information about links beyond just their metric, such as link bandwidth and color.
  • Type 11 LSAs are not flooded through the AS.
    • An AS "opaque" LSA defined by RFC 5250which is flooded everywhere except stub areas. This is the opaque equivalent of the type 5 external LSA.

CCNP ROUTE - OSPF over NBMA 快速記憶法

第一次學習OSPF的同學遇到NBMA時總會覺得大腦不夠用,怎麼記都很容易搞混,到底什麼時候要設定Neighbor,什麼時候要選擇DR/BDR? (請參考下圖)


我在這邊提供兩個快速記憶法:

  1. 只要是OSPF Mode內含nonbroadcast字串(包含NBMA)皆需手動設定Neighbor
    • 因為不支持broadcast(multicast)無法傳送multicast hello,所以一定要設定Neighbor改用unicast
  2. 只要是OSPF Mode開頭為Point-to-XXX字串皆不須選擇DR or BDR
    • Point-to-XXX常見於WAN的環境,因此沒有DR/BDR這類代表multiaccess broadcast的需求
  3. 除了標準LAN(Broadcast)/WAN(Point-to-Point)之外的OSPF Mode Hello Timer皆為30 secs

希望對各位在學習過程中可以有些幫助!

Apr 18, 2012

【研討會】邁向雲端‧輕鬆打造企業虛擬畫儲存環境


根據 IDC 的調查顯示,全球資料儲存量將持續爆炸成長,於 2014 年達到 76859PB。雲端技術的進步與虛擬化平台的崛起,也改變了企業資料儲存的需求。站在 Big Data、虛擬化環境、雲端服務的世紀交會口,Synology ® 和 VMware® 與您分享如何為企業輕鬆打造虛擬化儲存環境,並利用 Synology NAS 伺服器提供的全方位企業加值應用程式,建置強大、多功的私有雲端平台。
  • 活動時間:2012426日 (四) 14:00-16:40
  • 活動地點:台北喜來登大飯店 B2 福廳(台北市忠孝東路一段 12 號)
  • 活動方式:免費入場。席次有限,請盡速報名
  • 招生對象:企業、政府單位資訊部門決策主管、IT人員
  • 洽詢專線:(02)2562-2880 分機 3713 黃先生
注意事項:
  • 主辦單位保留報名資格審核與確認權,報名成功者將另行通知,請勿偽造他人身分資料以免觸犯法律。
  • 若遇天候或不可抗力之突發因素(如地震、火災),主辦單位保留活動日期及議程變更之權力。
  • 主辦單位保留贈品修改之權力。得獎者需提供可辨識身分之證件方能完成獲獎手續;獎品價值超過新台幣1,000元以上,應依法申報稅額;超過新台幣20,000元以上,應依法繳交10%稅金。

Apr 5, 2012

【研討會】雲端機房結構化佈線暨中小型機房規劃實務研討會


施耐德舉辦「雲端機房結構化佈線暨中小型機房規劃實務研討會」

由施耐德電機、凌華國際與施耐徳APC共同舉辦的「雲端機房結構化佈線暨中小型機房規劃實務研討會」,將於4/26在「台大集思會館-蘇格拉底廳」(羅斯福路四段85號B1,捷運公館站2號出口)下午1:30隆重登場。
由施耐德電機、凌華國際與施耐徳APC共同舉辦的「雲端機房結構化佈線暨中小型機房規劃實務研討會」,將於4/26在「台大集思會館-蘇格拉底廳」(羅斯福路四段85號B1,捷運公館站2號出口)下午1:30隆重登場。

研討會內容將分為二個階段進行,第一階段將由施耐德亞太區業務發展經理張德強(Patrick Cheong),先由雲端機房的基礎結構化佈線國際標準開始談起,接下來再探討結構化佈線標準在機房建置的應用,最後分享Actassi佈線系統在全球的大型機房建置案例。

第二階段則是由APC技術顧問王高智(Kogi Wang)為客戶說明企業內中小型電腦機房之設計及規劃,並做實務分享。本次研討會的內容,將提供正在籌建機房或預計改善機房的客戶一個明確的設計、規劃方向,現場另有施耐德電機全新Actassi佈線系統之系列產品展示,歡迎蒞臨現場參觀。


Apr 1, 2012

Digital Subscriber Line(ADSL vs SDSL)

DSL技術是一種always-on的連線方式,使用既有的雙絞電話線傳輸高速率頻寬資料同時提供IP服務給subscribers。透過DSL modem將來自於使用者乙太網路訊號轉換成DSL訊號再傳送至服務供應用的局端(CO,Central Office)機房。


在1950年代早期,Bell實驗室證實了雖然實體纜線可以支持 300 Hz~1 MHz 的頻率,不過在local loop線路上傳遞語音通話只需要 300 Hz~3 KHz。進階的技術使得DSL可以使用3 KHz~1 MHz這個額外的頻寬在既有的銅線上來傳遞高速資料服務。


DSL服務類型依照上下行速率的差異,大致可以分為兩大類:

1. Asymmetric DSL(ADSL):提供下載速率較上傳速率更高的連線方式

  • ADSL, ADSL2, ADSL2+
  • G.Lite(G.992.2)
  • VDSL, VDSL2
ADSL因為上行(從用戶到電信服務提供商方向,如上傳動作)和下行(從電信服務提供商到用戶的方向,如下載動作)頻寬不對稱(即上行和下行的速率不相同)因此稱為非對稱數位用戶線路。它採用分頻多工技術把普通的電話線分成了電話、上行和下行三個相對獨立的通道,從而避免了相互之間的干擾。通常ADSL在不影響正常電話通訊的情況下可以提供最高3.5Mbps的上行速度和最高24Mbps的下行速度。

ADSL2(ITU-T標準G.992.3)之上行與下行頻譜與第一代ADSL相同,所以理論上其最高下行接取速率可以達到12Mbps,最高上行接取速率則可以達到1.2Mbps左右。若採用ADSL2中新的Annex I或Annex J頻譜遮罩(Power Spectral Density Mask)及其相應的全數位模式,利用窄帶話音業務的頻帶來傳送上行資料,則ADSL2最大上行速率可以分別進一步提高到約1.4Mbps或2.5Mbps的水平。

ADSL2+,則是架構在ADSL2的基礎上擴展,擁有ADSL2所具有的特性,上行線路使用頻帶與ADSL2相同,但是下行線路之可用頻帶則進一步之倍增,最高子載波頻率從1.104MHz延伸至2.208MHz,支援的子載波數也相應地增加到512個,所以其下行接取速率加倍提高,在0.7Km或更短的傳輸距離的下,下行接取速率能夠達到24Mbps的最高接取速率,幾乎達到VDSL同等級之接取速率;在距離2.1Km以內時,其下行接取亦能夠達到16Mbps以上的接取速率,大大擴展了新業務的支援能力。

VDSL(Very High Bit-rate DSL),又稱超高速數位用戶迴路,是一種非對稱DSL,曾是速度最快的xDSL技術,顧名思義較HDSL(高速數位用戶迴路)為快,通過一對VDSL設備,用作光纖結點到附近用戶的最後引線。VDSL允許用戶端利用現有銅線獲得高頻寬服務而不必採用光纖。VDSL和ADSL一樣,是以銅線傳輸的xDSL寬頻解決方案家族成員。可以經一對傳統用戶雙絞線在一定服務範圍內有效傳送下行達12.9Mb/s 至52.8Mb/s(實驗室理論值最高可達60Mb/s),上行達1.6Mb/s至2.3Mb/s的數據信息。但比起ADSL離固網機房約4公里的距離限制,VDSL有效傳輸距離只有600公尺,是「光纖到府」時代前最後一哩的寬頻上網解決方案。

VDSL的缺點是傳輸速度與傳輸距離成反比,大多數配線無法達到其品質要求,因此用戶端數百呎以內線路不能使用一般的數位式電路,一定要使用光纖數位電路才行。而且VDSL的制定目前還沒有一套標準,是故距真正普及應用還需要進一步的努力。 而實際上在日本,此技術已經被廣泛應用,且上下行速度均可達100Mb/s。

VDSL2是VDSL第二代,是目前最快之DSL技術,短距離(350公尺以內)上下行均可達100Mb/s;普通環境應用通常可達下行30Mb/s,上行10Mb/s速度。VDSL2兼具VDSL高速與ADSL家族(ADSL/ADSL2/2+)長距之優點

2. Symmetric DSL(SDSL):提供上傳及下載速率相同的連線方式

  • SDSL
  • HDSL
  • IDSL
  • G.shdsl
上世紀九十年代初期,HDSL使用2B1Q調變和雙絞線電纜來傳送1.544Mbps的T1業務。

HDSL-2(High-data-rate Digital Subscriber Line)---高速數位用戶線路。HDSL-2為第二代HDSL資料傳輸技術,電信及網路服務業者在現存的電話網路架構下,只需利用一條銅絞線便可提供相等於T1專線速度(1.544Mbps)的雙向對稱的高速傳輸服務。採用HDSL-2用戶端連網設備的業者可以在原有的T1及HDSL線路架構(兩條銅絞線)下讓用戶數量加倍,在高速傳輸的連網服務中贏得更多的商機。

SDSL(Symmetric Digital Subscriber Line)---對稱式數位用戶迴路。單絞線數位用戶系統。利用傳統電話線路提供144Kbps至2.3Mbps上下行對稱的多重傳輸速率,一般多用於企業用戶。由於SDSL的對稱性傳輸的特性,因此廣為看好成為取代目前企業普遍使用的T1/E1專線的經濟替代方案。SDSL技術特性與HDSL相同,不同的地方在於它只利用一對雙絞線,也是採取雙向對稱傳輸方式,深受企業用戶喜愛。SDSL上行、下載速率皆達1.544 Mbps。

IDSL(ISDN Digital Subscriber Line)---ISDN數位用戶迴路。透過ISDN提供持續性的128Kbps連線。與ISDN AO/DI不同之處為IDSL有固定的IP,所以能用來架設電子郵件伺服器或Web網站,適合小型且用量不大的家庭或辦公室。

G.SHDSL是對稱數位用戶線SDSL的新國際標準,它應用於雙向高速數據傳輸業務。與早期的方案相比,該標準可以使數據傳輸得更遠、更快,同時改進了與頻譜的相容性。由於SDSL支援相等的雙向速率,因而能較好地實現語音和數據的傳輸

SHDSL(Single-pair High Speed DSL)---單銅絞線高速DSL。為新一代的對稱式DSL技術,因統一標準G.SHDSL的確立及成熟,逐漸成為目前對稱式DSL市場的主流。利用SHDSL傳輸技術,電信及網路服務業者只需在現存的電話網路架構下,利用一條銅絞線提供高達2.3Mbps的雙向對稱、多重速率的高速傳輸服務。

DSL Technology
Nature
Max. Data Rate (Down / Up) [bps]
Data and POTS
ADSL
Asymmetric
8 M / 1 M
Yes
VDSL
Symmetric /Asymmetric
52 M / 13 M
Yes
IDSL
Symmetric
144 k / 144 k
No
SDSL
Symmetric
768 k / 768 k
No
HDSL
Symmetric
2 M / 2 M
No
G.SHDSL
Symmetric
2.3 M / 2.3 M
No
DSL Technology
Max. Data Rate(Down / Up) [bps]
Max. Distance[feet / km]
ADSL
8 M / 1 M
18,000 / 5.46
VDSL
52 M / 13 M
4,500 / 1.37
IDSL
144 k / 144 k
18,000 / 5.46
SDSL
768 k / 768 k
22,000 / 6.7
G.SHDSL
2.3 M / 2.3 M
28,000 / 8.52