In most (if not all) installation instructions for Debian Third-Party repositories you will find a sentence like this:
wget -O - https://packages.example.com/example.key | apt-key add -
This allows the package maintainers key to sign ALL Debian packages, not only the packages from their repository. I’m not sure why this is still so common when a more secure alternative exists.
Juniper is somewhat (in-)famous for unhelpful and/or superfluous error messages. We faced a new one on our Juniper MX boxes recently. A normal-looking static route was committed, the next-hop was reachable via an irb interface bound to a VPLS instance:
[edit routing-options static]
+ route 10.1.2.168/29 {
+ next-hop 10.1.2.167;
+ tag 666;
+ }
I faced an interesting problem today. In a customer L3VPN/VRF a route was hidden
and it was not apparent why. In JunOS when you do a show route ... command you
will get a summary at the top that tells you some statistics. In this case, four
routes are hidden (three were expected, the one displayed here should not have
been hidden). You can display hidden routes by adding the hidden option to the
show route command:
user@core1> show route table customer-vrf.inet.0 10.1.2.0/22 hidden
customer-vrf.inet.0: 31 destinations, 34 routes (30 active, 0 holddown, 4 hidden)
+ = Active Route, - = Last Active, * = Both
10.1.2.0/22 [BGP ] 1d 17:20:31, MED 0, localpref 100, from 198.51.100.27
AS path: 65003 ?, validation-state: unverified
to 198.51.100.174 via ae1.0, Push 16, Push 300928(top)
> to 198.51.100.66 via ae17.0, Push 16, Push 302608(top)
I was looking for an easy and fast way to push configuration to our Juniper devices. Preferably one that doesn’t need anything special except a ssh connection.
I started with a standard Juniper configuration snippet. Something like this:
policy-options {
replace:
policy-statement deny-everything {
then reject;
}
}
How do we get this on the device? Luckily Juniper (as well as other vendors) supports a feature called NETCONF ({% include rfc.html rfc=“6241” %}) which uses a XML RPC API to talk to the device. You need to enable it together with SSH: