Farhan Anwar's Online Presence

CCIE SP Experiences

2010-12-14T13:00:00.001-08:00

I have taken CCIE SP Lab for two times until now. Searching and requesting friends and connections for another date before the track changes. Being in the same shoes two times, I have found the lab quite amazing and enjoying. Also expensive.

- Posted using BlogPress from my iPad

Location:Jebel Ali Race Course Rd,Dubai,United Arab Emirates

CCIE Security Written Pre-Qualification Exam

2009-04-23T00:54:00.001-07:00

I have passed my CCIE Security Written Exam recently. It requires extensive preparation and advanced level hands on experience on Cisco Security Appliances, Modules and Security Applications.

Furthermore, it requires deep understanding of Security and IP Protocols is also required. Good Handon experience and understanding on Cisco CS-MARS, NAC Appliances, AAA Servers, CSA etc is also essential.

This exam is a little different because, as because, several routing and switching topics are also included, so you must have good understanding of popular routing protocols and their security features.

I have used for following books for preparing for this exam:

1. Cisco Press - Cisco ASA All-In-One Firewall, IPS And VPN Adaptive Security Appliance

2. Cisco Press – CCIE Security Exam Certification Study Guide – 2nd Edition

3. Cisco Press – CCIE Security Quick Reference Sheet

CCIE Bootcamps and Training

2009-04-23T00:38:00.001-07:00

For getting your CCIE Certification, it is essential that you get proper training, guidance, support and hands-on equipment. There are several world-wide training companies who are giving CCIE Training using several different delivery methods such as online, on-demand, on-site and off-site.

Below are some of the most popular Training Companies giving world class training:

1. Internetwork Expert – internetworkexpert.com, is the leader in CCIE Training with experienced dual, triple, quad and penta ccie instructors.

2. IP Expert – ipexpert.com, is the most popular CCIE Training and preparation company to date.

3. ccBootCamp – ccbootcamp.com, is also the leader in training and preparing candidates for multiple CCIE Tracks.

Besides, these what i can remember, there are several other persons who are very much popular in CCIE BootCamps such as Brian Dennis, Scott Morris, Brian Mcgaghan, Roman, Narbik and Khawar Butt. Try googling for them and you can find their upcoming bootcamps, locations and costs.

For passing the CCIE Lab, you needs hours and hours of handson, there are three options for it:

1. Purchase your own rack.

2. Take Equipment on Rent (many companies do it).

3. Buy online rack rental hours.

Any option can be taken, depending on your financial condition and comfortability. The most expensive option is the first one. The least expensive is the last one.

Some popular rack rental sites are:

1. www.internetworkexpert.com

2. www.proctorlabs.com

3. www.ccie2b.com

4. www.ccie4u.com

5. www.cconlinelabs.com

6. www.ipexpert.com

I hope this information might have been useful, if it is to you, do leave a comment or drop me an email.

Starter's Guidelines for Persuing Expert Network Certifications

2009-04-15T13:44:00.000-07:00

After many emails from youngsters and juniors asking how I started my career and pursued a successful career in Information and Communications Technology. Finally i was able to devote some time to write something as a guideline to pursue a successful career in networks engineering.

First things first, there are a lot of misconceptions getting into the Systems / Networks Engineering, most of the fresh graduates are asking me repeatedly the same question that "is it worthy enough to pursue a career in it after graduation and do certifications, will it be a good career with growth and progression?"

The simple answer is, it depends. There are several specialization paths that could be followed such as "Systems Engineering" , "Network Engineering" , "Security Administration" , "Storage Area Networks Engineering" , "Voice over IP Administration" and "Wireless Networks".

Lets take each one, once you enter you could go into "Systems Engineering / Administration" that is mainly dominated by Operating Systems and Server Administration like Windows Server System, Linux, Unix and Solaris. Almost all of them offer several enterprise services such as Directory, Naming, Email, Security, Data Transfer, Communication, Voice, Video etc.

Certifications involving Systems Engineering are available from several different vendors such as Microsoft, RedHat, IBM, HP, Sun, Comptia, EC-Council etc.

The next path is "Networks Engineering / Administration" which is a very promising and growing field, it sub-divides into several different categories such as Routing & Switching, Network Security, Service Provider Networks, Wireless Networks and Voice over IP. These are very wide, vast fields which can be a WORLD in themselves.

Major Certifications are offered from Cisco and Juniper.

The other path belonging to Systems and Network Design and Architecture, this is the next career progression for an engineer after working in the implementation for a considerable number of years. This is a critical job role involving Enterprisewide Systems and Networks design.

Cisco Offers a seperate track for its design professionals including associate, professional and expert level certifications. Several other vendor neutral and vendor specific certifications are also available, but designing and architecting the enterprise requires implementation experience.

So far I have highlighted the sub-divisions of the Networks and Systems Engineering including:
- Systems Engineering
- Network Engineering including Routing, Switching, Service Provider and Wireless
- Network and Systems Security Administration
- Network, Systems and Security Design

Dynamips for CCIE R/S

2008-02-19T01:59:00.000-08:00

The IdlePC Values and IOS Versions that i used to build the CCIE R/S Lab are:

[[3725]]
image = /ccie/base/c3725-adventerprisek9-mz.124-17.bin
ram = 128
disk0 = 0
disk1 = 0
mmap = True
ghostios = True
idlepc = 0x60a6d020

[[3640]]
image = /ccie/base/c3640-js-mz.124-17.bin
ram = 128
disk0 = 0
disk1 = 0
mmap = True
ghostios = True
idlepc = 0x604c37fc

For Instance 1: The 3725's were used for Routers R1 - R6.
For Instance 2: All 3640's were used for SW1 - SW4 and BB1 - BB3.

In Linux, i have noticed that 3725 performs much better as compared to 3640. On full load, means IGP, BGP, Redistribution, Multicasting and Security the CPU Load was 40%.

The Dynamips Server Configuration was:
AMD Athlon X2 64Bit 4400+
2 GB Corsair DDR2
80 Gb HDD
Fedora Core 6, 32Bit

The Dynagen Client runs on my laptop in Windows XP.

2008-01-28T23:36:00.000-08:00

Hi All,

Since my last post regarding my CCIE# i have received countless unicasts from different professionals asking for advice on how to start their studies and how i did it in the first attempt. Finally since I am still resting and evaluating Job Offers in my mailbox :) , I have decided to write my journey towards becoming a ccie. I couldn't find any better place than the GS itself so pardon me if you don't like the size of it. Here it goes, pardon me for any typos and NO I don't work for any workbook vendor ;), telling ya straight.

I started preparing for the CCIE roughly 4 years ago when i did the CCIE Routing & Switching Training from a local institute during my studies. But then I entered in the professional field, got married ;) and things slowed down to a halt due to my OTHER activities.

I started my personal goal again over 1.5 years ago but things were going very slow, until i finally decided to take CCIE Certification Seriously and devote time and resources to it, i started studying in nights and on whole weekends. For Practicing I was in search of low-cost lab equipment when a friend told me about dynamips as a Cisco 7200 Router Simulator; i was impressed with the performance and its ease of use. I immediately started searching for its features, configuration settings and found a detailed article from Brian Mcghan of internetworkexpert explaining dynamips, furthermore the HACKI's forum was very much helpful in the initial stages of dynamips / dynagen experiences.

I tuned, tweaked and optimized dynamips configuration files and idlepc values for one month while practicing my Routing Techniques on it, and it was in JANUARY 2007. A CCIE Friend told me about internetworkexpert.com. And also about the groupstudy.com, At that time I didn't have a clear view of what to study how to do it and what to practice for the CCIE due to a number of topics being covered in the R&S Program. Brian's detailed CCIE R&S Topics list in their Free Resources section helped me enormously till the last day for tracking my performance and topics to cover.

I already had a strong base in IGP and BGP but i was weak in Advanced Switching, QoS, Security and Multicasting. For getting an edge in non-core topics i reviewed KnowledgeNet QoS and Multicast. I polished my security and Switching skills using the Cisco DocCD.

Afterwards, i started viewing Class on Demand Videos of Internetwork Expert. After digesting that video of several hours in one month by seeing it again and again. I started doing Advanced Technology Labs on Dynamips. It took me another one and a half month to finish them off
completely and tuning Dynamips Topological File for Advanced Technology Labs, i changed the interfaces, switch connections and frame-relay topology to suit my needs. Some Tasks were not supported in Dynamips such as Dot1x Tunneling, VLAN ACLs, RSPAN, Dynamic Trunking etc. so i skipped them and lateron rented a rack several times for practicing those specific topics. During this time, i reviewed the CoD countless times to gain a deeper understanding of
technologies.

My next move was to purchase a dedicated dynamips server to support my topology as my laptop was not enough for it, i purchased an AMD Athlon 64 4400+ with 2 GiG RAM as a dynamips server machine. Here Scott Vermillion came to the rescue as I was using Windows as my primary OS but I failed miserably in running the full topology, Scott insisted and encouraged me to use linux as at that time he was using MacOSX.

You can find my huge post in the GS Archives.

I started doing the Core-Labs as my next move to improve my IGP, BGP and Redistribution skills, additional one month just for the 10 Labs, they surely were hard as i think now :). Core Labs were done easily done on the Dynamips Server that i had purchased because they focused
on IGP, Redistribution and BGP the most. Switching was mostly simple and when i was stuck with an unsupported task, i always skipped it and did them later on a rented rack if I had the chance.

Finally i started R&S Workbook Labs, the first five labs were just warm up labs as the authors said but they looked really hard to me at the first glance, they can be done using Dynamips but some tasks were skipped in Switching. Initially it took me 3 days to finish only one lab with research on every topic. When i reached Lab5 i gained speed, accuracy and got familiar with most of the problems. Lab5 was done in 13 Hours in first attempt on my dynamips.

I continued doing the workbook labs 6,7,8,9 and 10. The hardest of all was Lab 7 which again took me two days to figure out. After finishing Lab10 i almost knew all of the problems and i could solve most of the tasks at the back of my head. Labs 11 - 13 i did with a pencil just to
save some time. Then I did all the remaining 14 – 20 Labs. Next, I rented rack equipment and did several labs on them again. Again My CCIE friend came to rescue and generously gave access to his own rack with 9 Routers and 2 3550's I used it to do Labs again and gained some speed and accuracy. Thanks Ghias for that.

In total I did the IE Labs 3 times on different equipment, 1st time on Dynamips, 2nd time on rented rack and third time on Physical Rack. Finally, in the last month, I reviewed most of the content again, reviewed the Class on Demand Videos to refresh some of the topics such as Catalyst QoS (freely available on internetworkexpert free resources section), IP/IOS Services, Multicasting, Security and BGP. I took references from the DocCD to memorize where to find stuff like Router Menus, WCCP, Nat, Reflexive ACLs, CBAC, IGMP Filtering, Multicast Stub
Routing, IPv6 etc.

I sat for lab in dubai on 22nd Jan 2008 and fortunately attained the number in the first attempt. For the last 2 nights i couldn't sleep and i just kept on praying and building strategies like should i do frame-relay first restart the routers then go on switching or the otherway around etc etc..

Well, I hope this LONG LONG Post will help most of the people who emailed me for guidance on how to start and where to search the material. I specifically used IE Material but I have also seen other vendor's workbooks such as IPEXPERT, IEMENTOR, Soup-to-Nuts etc. and I
have found them equally good for practicing the labs. It's a personal preference and what your company/budget allows you to purchase. Lastly, i would say, this was my technique, i cannot guarantee that following this one could lead you to success but it worked for me. I did the core-labs first, authors dont recommend this way, but i did it.

Regards,
--
Farhan Anwar
CCIE #19871
www.farhananwar.com

Finally CCIE!

2008-01-23T23:41:00.000-08:00

CCIE#19871 achieved in Routing and Switching on 22nd JANUARY 2008 in Dubai.

--
Farhan Anwar
Now CCIE#19871

Just got my CCIE

2008-01-22T23:44:00.000-08:00

Sitting on dubai international airport .... i have just checked the result with shaking hands. And there i found the CCIE#19871. I can't believe that i am in the <5% style="color: rgb(136, 136, 136);">--
Farhan Anwar
Now CCIE#19871
www.farhananwar.com

Dynamips IdlePC Values

2007-10-19T03:44:00.000-07:00

OS: Windows XP ( any Windows Platform)

Although, these IdlePC Values are hardware independent, but i generated them on:
Intel Core Duo 1.66 GHz Centrino Processor with 2 GB Ram.

c3725-adventerprisek9-mz.124-7.ext.BIN
0x612f1a04 [52]
0x60af25c8 [77]

c3620-is-mz.123-18.ext.BIN
0x604ca9ac [67]

c3640-is-mz.124-8T.bin
0x605b8dbc [57]
0x6062e728 [69]
0x6062e8f0 [76]
0x606e70ec [66]
0x606e716c [55]
0x6062fb40 [60]

c3640-jk9o3s-mz.124-5a.ext.BIN
**0x60610428 [58]
*0x604e0630 [54]
0x6055a938 [69]
0x60555c98 [72]
0x60555cc0 [66]
0x60555e8c [76]

c3640-ik9o3s-mz.124-7.bin
**0x60638cd8 [46]
*0x605119f0 [56]

c7200-adventerprisek9-mz.124-4.T1.ext.BIN
*0x6070c270 [56]
*0x6034d4bc [57]

Farhan Anwar.
MCSE:Security,CCNP,JNCIA,CCIE (R&S --Ongoing)

BGP - CCIE Notes

2007-09-18T04:17:00.000-07:00

Within an AS, bgp peers do not need to be directly connected.
For routers that run ebgp, neighbors are usually directly connected.
ALL bgp speakers within an AS MUST establish a peer relationship unless you use Route
reflectors or confederations.
When a bgp speaker receives an update from other bgp speakers in its own AS, (via ibgp) the
receiving bgp speaker uses ebgp to forward the update to ebgp speakers only.
The BGP synchronization rule states that if an AS provides transit service to another AS, BGP
should not advertise a route until all of the routers within the AS have learned the route via an
IGP.
You can disable synchronization if one of the following is true:

1. Your AS does not pass traffic from one AS to another.
2. ALL the transit routers in your AS run BGP

The only difference between advertising a static and a default route, is that when you redistribute a
static, BGP sets the origin attribute of updates to incomplete.
Redistributing a static route is the best way to advertise a supernet because it stops the route from
flapping.
To ensure a loop free inter-domain topology, BGP does not accept updates that originated from its own AS.
Origin attribute- will be “i” when injected with network command in router configuration mode, “e” when learned through EGP, “?” incomplete when a route is redistributed into bgp.
BGP specifies that the next hop of EBGP learned routes remain unchanged into and through IBGP.

BGP Attributes

The weight attribute is a special CISCO attribute that is used in the path selection when there is more than one route to the destination. The weight attribute is local to the router on which it is assigned and is NOT propagated in routing updates. (higher more preferred), there are 3 ways to set weight:

Access-list
Route-map
Neighbor weight command

The local preference attribute indicates the preferred path when there is multiple paths. (higher=better). Unlike the weight attribute, the local preference is carried with route updates and exchanged with routers in the same AS. 2 ways to set local preference:

use the bgp default local-preference command
route-maps

The MED attribute is a hint to EBGP peers about the preferred path into an AS when there are multiple. (lower=better). Unlike local preference, the MED is exchanged between AS’s, but a MED that comes into

an AS does not leave the AS.

The community attribute provides a way of grouping destinations to which routing decisions can be

applied. To send the attribute you MUST use the neighbor send-community router config command.

Switching - CCIE Notes

2007-09-18T04:07:00.000-07:00

A Switch Port can be dynamic, static or automatic. Switch Port can be a Trunk or an Access Port.
The Default Encapsulation Protocol for DTP is ISL.
Native VLAN is supposed to be an Untagged VLAN which doesn’t has any VLAN information attached.
To disable Dynamic Trunking Protocol use no negotiate
To create an Ether channel without negotiation we use channel-group 1 mode on. This creates an ether channel without any Ether Channeling protocol (PAGP / LACP).
Making Channel Group Mode to DESIREABLE or AUTO makes it negotiable over PAGP.
Making Channel Group Mode to ACTIVE or PASSIVE makes it negotiable over LACP.
Enabling DTP and issuing conflicting VTP Domain names causes the Switches to warn before enabling VLAN Trunking Protocols over the Trunk Links.
VLAN Load Balancing can be achieved in the following ways:

VLAN ALLOW LIST: This allows different VLANs to travel over different Trunks for better trunk efficiency and load balanced environment. Certain VLANs are allowed over one trunk and other set of VLANs can be allowed to travel over another trunk.
MSTP VLAN Load Balancing: This allows VLAN Instance Load Balancing over different Trunks.
STP Port Priority: By assigning different VLANs to different TRUNKs and changing the STP Port Priority.
STP Port Cost: By assigning different VLANs to different TRUNKs and changing the STP Port COST.

The Minimum Forward Delay time for Spanning Tree is 4 Seconds.
Enabling Spanning Tree PortFast on interfaces causes it to bypass Listening and Learning State and directly transit into FORWARD State.
Enabling UplinkFast Globally causes the Switch to quickly transit its root port to another port in an event of an uplink failure.
Enabling BackboneFast Globally causes the Switch to know immediately if its path to ROOT has been broken somewhere on another switch (indirectly) and switch its path to alternate one.
Enabling BPDU-Guard Allows an ACCESS-PORT to quickly go into PORT-INCONSISTENT (Block) State if a BPDU is received on it. This is done on all PortFast Enabled Access Ports.
Enabling Root Guard on the Root Switch Designated Ports allows the switch to reject any Superior BPDUs received on those ports and protect itself from loosing the ROOT Role.
BPDU Filter is an extension of BPDU-Guard in which we can define what to do if a BPDU has been received on an ACCESS-Port.
BPDU Loop Guard allows the switch to protect itself from a sudden loss of BPDUs and go into infinite Spanning Tree Loop.
A Multiple STP contains INSTANCES where each instance could contain a single or a group of VLANs in it.

Configuration: spanning-tree mst configuration

Instance 1 vlan 1-3
Instance 2 vlan 4-6
Instance 4 vlan 7-9

Layer 3 Switching:

Switch Security:

Port Security

Max. Mac Address Learn Limits

Port Authentication

VLAN Hopping:

Hacker can negotiate a TRUNK with the Switch and can move b/w VLANs easily.
This happens because the default state of every port is Dynamic Desirable.

Private VLANs:

The common concept is VLANs within VLANs.

Private VLANs has sub-vlans, it contains a Main VLAN called "PRIMARY-VLAN".
Private VLANs can only be configured in a TRANSPARENT Mode.
There can only be 1 ISOLATED or COMMUNITY VLAN per Primary VLAN.
Private VLANs provide ISOLATION and GROUPING within a VLAN.

There are three types of sub-vlans:

Promiscuous	It’s a port in Primary VLAN which can be reached by all Isolated and Community Ports
Isolated	It’s a port in Primary VLAN but can't connect to any other port
Community	It’s a group of ports in Primary VLANs which can connect to each other and they can also reach Promiscuous Port but they can't reach any ISOLATED Ports.

Configuration:

Vlan 100

Private-vlan primary

Vlan 110

Private-vlan isolated

Vlan 120

Private-vlan community

Vlan 100

Private-vlan association 110,120

Interface fast1/1

Description Private Isolated VLAN 100

Switchport mode private-vlan host

Switchport private-vlan host-association 100 110

Interface fast1/2

Description Private Community VLAN 100

Switchport mode private-vlan host

Switchport private-vlan host-association 100 120

Interface fast1/3

Description Private Community VLAN 100

Switchport mode private-vlan promiscuous

Switchport private-vlan mapping 100 110,120

Verification:

Show vlan private-vlan

Spoofing Attacks:

Ip dhcp snooping trust	Listens to ARP / DHCP Requests, makes IP to Mac Bindings Table
Ip verify source vlan dhcp-snooping port-security	Ip source guard enablement.

Spanning Tree Attacks:

Spanning-tree bpduguard enable

Blocks (shutsdown - errdisable)a Port which is not destined to receive any BPDUs

Spanning-tree guard root

Root Guard, protects a port to receive superior BPDUs on a root-guard enabled port. This is enabled only on Root and Backup-Root Switches

Best Practices:

Disable CDP Whenever Possible.
Lock down the spanning tree.
Disable Trunk Negotiation and use manual negotiation.
Place unused ports in a blackhole vlan or blocked vlan.
Enable SwitchPort host (enables access mode, enables portfast, disables channelgroup)
Use SSH whenever possible for doing Switched Configuration.

Frame Relay Notes - CCIE

2007-09-15T04:03:00.000-07:00

A point-to-point sub interface can only accommodate a single DLCI at any given time. Point-to-point sub-interfaces are treated by the IOS like a physical point-to-point interface and do not need either inverse-arp or frame-relay map statements.
Multipoint DLCI’s rely on either inverse-arp or frame-relay map statements for proper operation.
You must manually clear inverse-arp with a clear frame-inarp command to remove any undesired inverse-arp entries.
The broadcast parameter is required for protocols such as OSPF
If the router is reloaded inverse-arp will be disabled for any DLCI that is used with a frame-relay map statement.
As a rule when configuring frame-relay map statements make note of the protocol and the DLCI specified if there are any inverse mappings for that same protocol referencing the same DLCI replace the inverse-arp entries with frame-relay map statements.
Rules to remember when configuring point-to-point sub-interfaces are:

No frame-relay map statements can be used with point-to-point sub-interfaces
One and only once DLCI can be associated with a single point-to-point interfaces

Without the frame-relay interface DLCI command, all DLCI’s are assigned to the physical Interface Split horizon only blocks routing updates in a hub and spoke topology
A Cisco IOS remedy to this split horizon problem is to disable split horizon on the hub router in a frame-relay network this can be performed at the interface configuration mode.
Split horizon is disabled on frame-relay physical IP interfaces split horizon is enabled on framerelay point-to-point and multi-point IP sub-interfaces.
OSPF is not affected by the rule of split horizon since it does not apply it.
A remedy to the problem of “hello mismatches” is using the Cisco IOS interface configuration command “IP OSPF network”:
A popular selection for OSPF networks is the point-to-multipoint option.
When using only physical interfaces in a hub and spoke topology you need to add a frame-relay map statement on the spoke routers to assure spoke to spoke reachability nothing needs to be done to the hub router.
If using point-to-point sub-interfaces each sub-interface must be configured as a separate sub net. If a physical or multipoint sub interface is being used at the hub remember to disable split horizon at the hub

Notes on IPv6

2007-09-14T15:45:00.000-07:00

Aggregatable Global Unitcast Address	2000 - 3FFF: Original Routable Addresses
Link-Local Unicast Addresses	FE80: 1/1024th of all available for Link only, used to get Global Unicast Address via a Router or a DHCP.
Site-Local Unicast Addresses	FEC0: 1/1024th of all available IPv6 Space, its sort of Private IP Addressing Scheme. Deprecated.
Multicast Addresses	FFxx: Starts with FF, used for Multicasting.
Multicast to all hosts	FF02::1 essentially the same as 255.255.255.255

The Broadcast has been removed, multicasting has taken its place.
FrameRelay Inverse-Arp is not yet implemented, so Static Mapping should be used.
ICMPv6 Neighbor Discovery will ultimately replace IPv4 ARP.

ICMPv6 Neighbor Solicitation	Ask for Information about the neighbor
ICMPv6 Neighbor Advertisement	Advertise yourself to neighbor
ICMPv6 Router Solicitation	Ask for info about the Local Routers
ICMPv6 Router Advertisement	Advertise yourself as Local Router

Ipv6 unicast-routing enables IPv6 on a Router. It enables ICMPv6 ND and Dynamic Routing Support.
Debug ipv6 packet detail
Debug ipv6 nd

RIPng

RFC 2080 Defines Ripng for IPv6

UDP Port 521 is used instead of 520 with a Multicast Address of FF02::9

Configuration:

Interface Level : Ipv6 rip [process] enable

OSPFv3

Similar to OSPFv2
Router-id is an IPv4 Address
Configuration:
Interface Level: ipv6 ospf [process id] area [area-id]
Global Level: Automatically Enabled.
Multicast Address is: FF02::5

BGPv6

Same process for IPv6 as of IPv4.
Address-family configuration is used.

Static Tunneling:

GRE	The Default Tunnel Mode
IPv6 IP	Running IPv4 to IPv6 Tunneling

Automatic Tunnels:

6to4 Tunnels	IPv6 Address to IPv4 Tunneling
ISATAP	Automatic Host to Host or Host to Router Tunneling

Firewall Filters in Juniper JunOS

2007-08-25T12:29:00.000-07:00

Introduction to Firewall Filters in JunOS

· Firewall Filters are same as Access Control Lists in Cisco.
· Firewall Filters are stateless firewall filters just like ACLs in Cisco.

· Firewall Filter has:
o Discard:
o Reject:

· All ACLs are configured in Firewall Hierarchy
· All Firewall Filters have Names
Every Term has:
From Clauses ( Matches )
Then Clauses ( Actions )
Every Term can have a Number or a Name
The ANNOTATE Command can be used to write Comments against the filter terms

Show firewall policy-options

· JunOS always compiles Firewall Filters.
· JunOS Firewall Filters are performed always in Hardware using the Internet 2 Processor from IBM which gives Line Rate Packet Filtering Speed.
· For APPLYING a firewall filter list over an interface:
o Set interface fe-3/0/0 unit 0 family inet filter input-list block-bad-addresses
o Set interface fe-3/0/1 unit 0 family inet filter output-list block-bad-addresses
· Firewall Filters are applied with the perspective of a Router, if a Packet comes in through FE-3/0/0 and after re-routing it goes out from FE-3/0/1 then the input ACL will be at FE-3/0/0 and the output ACL will be at FE-3/0/1

Aggregate-address	Configure bgp aggregate entries
Auto-summary
Default-metric	Set metric of redistributed routes
Distance	Define admin distance
Distribute-list	Filter Networks in routing updates
Maximum-paths	Forward Packets on multiple paths
Synchronization	Perform IGP Synchronization (IBGP)
Timers	Adjust BGP Update Timers
Traffic-share	Algorithm for computing traffic share over alternate routes
Neighbor advertise-map	Specific route-map for conditional adverstisements
Neighbor advertisement-interval	Min. Interval b/w EBGP Routing Updates
Neighbor distribute-list	Filter Routes specific to neighbor
Neighbor Ebgp-multihop	Allow EBGP Neighbors not on directly connected networks
Neighbor Filter-list	Enable BGP Filters
Neighbor maximum-prefix	Max. Limit of Routes the neighbor could learn.
Neighbor next-hop-self	Disable Next-Hop Calculation for neighbor and advertise itself as the neighbor
Neighbor peer-group	Assign a Peer Group to the neighbor
Neighbor prefix-list	Filter updates from this neighbor
Neighbor remote-as	Define the AS
Neighbor remove-private-as	No Private AS #s in outbound updates
Neighbor route-map	Apply a route-map
Neighbor route-reflector-client	Enable Route-Reflection on this Router
Neighbor send-community	Send the Community Attribute to this neighbor
Neighbor shutdown	Administratively disable peering with the neighbor
Neighbor timers	BGP Neighbor specific timers
Neighbor unsuppress-map	Route-Map to selectively allow suppressed routes to that specific neighbor
Neighbor update-source	Define Source interface for the neighbor
Neighbor weight	Specify neighbor specific weight (Cisco Only)