Difference between revisions of "Junos"
m (→Routing) |
|||
(18 intermediate revisions by the same user not shown) | |||
Line 8: | Line 8: | ||
* [[CLI Commands]] | * [[CLI Commands]] | ||
* [[Junos RPM]] RTT, Jitter, Packetloss testing / probing | * [[Junos RPM]] RTT, Jitter, Packetloss testing / probing | ||
+ | * CoS https://saidvandeklundert.net/2015-02-28-juniper-cos-notes/ | ||
Service Requests - What to collect https://kb.juniper.net/InfoCenter/index?page=content&id=KB26990&actp=METADATA | Service Requests - What to collect https://kb.juniper.net/InfoCenter/index?page=content&id=KB26990&actp=METADATA | ||
+ | |||
+ | ===Bootable USB=== | ||
+ | Create a boot USB https://www.juniper.net/documentation/en_US/jsa7.3.1/jsa-installation-guide/topics/concept/concept-jsa-installation-guide-usb-flash-drive-installations.html | ||
+ | |||
+ | https://osxdaily.com/2015/06/05/copy-iso-to-usb-drive-mac-os-x-command/ | ||
+ | |||
+ | MACOS | ||
+ | Find the Disk | ||
+ | mount | ||
+ | Unmount | ||
+ | sudo diskutil umount /dev/rdisk2s1 | ||
+ | Copy (note the r pre-pended to the device name = raw and rdisk2 (not rdisk2s1!!) | ||
+ | sudo dd if=/Users/neilt/Software/junos/junos-install-media-usb-mx-x86-64-19.4R3.11.img of=/dev/rdisk2 bs=1m | ||
+ | Eject | ||
+ | diskutil eject /dev/rdisk2s1 | ||
+ | |||
+ | |||
+ | Proxy for NZ to get Juniper images https://juniper.networks.fail/ | ||
+ | curl --proxy juniper.networks.fail:3128 -o <filename> https://cdn.juniper.net/blah | ||
+ | |||
+ | ===CLI Moving Around=== | ||
+ | * Left/Right Arrows or Ctrl-B Back one character and Ctrl-F Forward one character | ||
+ | * Ctrl-A To beginning of line | ||
+ | * Ctrl-E To end of line | ||
+ | |||
+ | |||
+ | * Ctrl-U Delete all characters | ||
+ | * Ctrl-W Delete entire word to left of cursor | ||
+ | |||
+ | |||
+ | * Ctrl-L Redraw the current line | ||
+ | Command History | ||
+ | * Up/Down Arrows or Ctrl-P move backwards through command history and Ctrl-N move forward through command history | ||
+ | |||
==Configuration== | ==Configuration== | ||
− | * Deactivate - configuration is not loaded | + | * Deactivate - configuration is not loaded |
+ | <pre> | ||
+ | deactivate interfaces ae1 unit 2 | ||
+ | activate interfaces ae1 unit 2 | ||
+ | </pre> | ||
* Disable - Configuration is loaded by ignored | * Disable - Configuration is loaded by ignored | ||
Line 73: | Line 112: | ||
<code>xe-1/2/0.1</code> Vlan tag 1 | <code>xe-1/2/0.1</code> Vlan tag 1 | ||
− | <code>xe-1/2/0:1</code>40Gb interface channelised to operate as individual 10Gb interfaces (since 40Gb = 4 x 10Gb physically anyhow) | + | <code>xe-1/2/0:1</code>40Gb interface channelised to operate as individual 10Gb interfaces (since 40Gb = 4 x 10Gb physically anyhow) PLR4 Optic |
+ | N.B <code> set chassis fpc 1 pic 2 port 0 channel-speed 10g</code> | ||
+ | |||
+ | ===L2 - L3 MTU=== | ||
+ | The following sets a 1500 L2 MTU (thus L3 less headers) | ||
+ | <pre> | ||
+ | interfaces { | ||
+ | <*> { | ||
+ | unit <*> { | ||
+ | encapsulation ethernet; | ||
+ | mtu 1500; | ||
+ | family inet { | ||
+ | rpf-check; | ||
+ | filter { | ||
+ | input inet-somefilter-in; | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | </pre> | ||
+ | The following sets a 1500 L3 MTU (no matter how the service arrived at the port - non-tagged, 1 tag or 2 vlan tags) | ||
+ | <pre> | ||
+ | interfaces { | ||
+ | <*> { | ||
+ | unit <*> { | ||
+ | encapsulation ethernet; | ||
+ | family inet { | ||
+ | mtu 1500; | ||
+ | rpf-check; | ||
+ | filter { | ||
+ | input inet-somefilter-in; | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | </pre> | ||
+ | |||
===LAG Issues=== | ===LAG Issues=== | ||
Line 140: | Line 217: | ||
set protocols isis interface xe-1/2/4.0 apply-groups AvoidLink | set protocols isis interface xe-1/2/4.0 apply-groups AvoidLink | ||
</pre> | </pre> | ||
+ | |||
+ | ===Prefix Limits=== | ||
+ | Find the limints at PeeringDB https://www.peeringdb.com/ | ||
+ | <pre> | ||
+ | set routing-instances IXname protocols bgp group Bilat-ASname description ASname | ||
+ | set routing-instances IXname protocols bgp group Bilat-ASname peer-as 123456 | ||
+ | set routing-instances IXname protocols bgp group Bilat-ASname neighbor [ipv4address] family inet unicast prefix-limit maximum 350 | ||
+ | set routing-instances IXname protocols bgp group Bilat-ASname neighbor [ipv6address] family inet6 unicast prefix-limit maximum 350 | ||
+ | </pre> | ||
+ | |||
MTU testing | MTU testing | ||
ping routing-instance <name> <IP> size 1500 | ping routing-instance <name> <IP> size 1500 | ||
+ | |||
+ | |||
+ | === Routes learned from a peer === | ||
+ | <pre>show route receive-protocol bgp 255.251.186.255 table someone.inet<pre> | ||
+ | |||
==== Disable an interface carrying MPLS ==== | ==== Disable an interface carrying MPLS ==== | ||
Line 166: | Line 258: | ||
==BNG Subscribers == | ==BNG Subscribers == | ||
+ | |||
+ | PPPoE config and examples https://tgregory.org/tag/juniper-mx-bng/ | ||
Count number of subscribers per pseudo wire | Count number of subscribers per pseudo wire | ||
Line 203: | Line 297: | ||
If there is a rule that is meant to allow the flow, most probable that the source address has no route, so the firewall drops the traffic before the rule is attempted. | If there is a rule that is meant to allow the flow, most probable that the source address has no route, so the firewall drops the traffic before the rule is attempted. | ||
[junos@2636.1.1.1.2.137 attack-name="IP spoofing!" source-address="10.0.0.27" destination-address="10.254.254.10" protocol-id="17" source-zone-name="ZONE_A" interface-name="xe-0/0/17.9" action="drop"] | [junos@2636.1.1.1.2.137 attack-name="IP spoofing!" source-address="10.0.0.27" destination-address="10.254.254.10" protocol-id="17" source-zone-name="ZONE_A" interface-name="xe-0/0/17.9" action="drop"] | ||
+ | |||
+ | ===Flows - Debugging=== | ||
+ | show security flow session destination-prefix 192.168.1.5/32. | ||
+ | |||
+ | clear security flow session interface ge-0/0/1.1 destination-prefix 192.168.1.5/32 | ||
===Failover=== | ===Failover=== | ||
Line 268: | Line 367: | ||
=== Root Password recovery === | === Root Password recovery === | ||
https://kb.juniper.net/InfoCenter/index?page=content&id=KB12167&cat=MANAGEMENT_SW&actp=LIST | https://kb.juniper.net/InfoCenter/index?page=content&id=KB12167&cat=MANAGEMENT_SW&actp=LIST | ||
+ | |||
+ | === Recover an encrypted password === | ||
+ | request system decrypt password "$9$abcd/somehash" | ||
== Login to unresponsive RE == | == Login to unresponsive RE == | ||
Line 277: | Line 379: | ||
show system processes extensive | match chassisd | show system processes extensive | match chassisd | ||
help topic interfaces family | help topic interfaces family | ||
+ | show chassis hardware | ||
+ | show chassis pic fpc-slot 0 pic-slot 0 | ||
* Ifdown <code> set interfaces ge-0/0/7 disable</code> | * Ifdown <code> set interfaces ge-0/0/7 disable</code> | ||
Line 290: | Line 394: | ||
===Copy between cluster nodes=== | ===Copy between cluster nodes=== | ||
file copy /var/tmp/abc.log node1:/var/log/ | file copy /var/tmp/abc.log node1:/var/log/ | ||
+ | |||
+ | ==Packet Capture== | ||
+ | monitor traffic interface ps5 size 1600 write-file filename.pcap |
Latest revision as of 02:12, 4 April 2024
Contents
Misc
Cisco vs Juniper commands https://networking.ringofsaturn.com/Cisco/ciscojuniper.php
Python on Junos hosts https://www.juniper.net/documentation/en_US/junos/topics/reference/general/junos-python-modules-on-device.html
- mount usb
- CLI Commands
- Junos RPM RTT, Jitter, Packetloss testing / probing
- CoS https://saidvandeklundert.net/2015-02-28-juniper-cos-notes/
Service Requests - What to collect https://kb.juniper.net/InfoCenter/index?page=content&id=KB26990&actp=METADATA
Bootable USB
Create a boot USB https://www.juniper.net/documentation/en_US/jsa7.3.1/jsa-installation-guide/topics/concept/concept-jsa-installation-guide-usb-flash-drive-installations.html
https://osxdaily.com/2015/06/05/copy-iso-to-usb-drive-mac-os-x-command/
MACOS
Find the Disk mount Unmount sudo diskutil umount /dev/rdisk2s1 Copy (note the r pre-pended to the device name = raw and rdisk2 (not rdisk2s1!!) sudo dd if=/Users/neilt/Software/junos/junos-install-media-usb-mx-x86-64-19.4R3.11.img of=/dev/rdisk2 bs=1m Eject diskutil eject /dev/rdisk2s1
Proxy for NZ to get Juniper images https://juniper.networks.fail/
curl --proxy juniper.networks.fail:3128 -o <filename> https://cdn.juniper.net/blah
CLI Moving Around
- Left/Right Arrows or Ctrl-B Back one character and Ctrl-F Forward one character
- Ctrl-A To beginning of line
- Ctrl-E To end of line
- Ctrl-U Delete all characters
- Ctrl-W Delete entire word to left of cursor
- Ctrl-L Redraw the current line
Command History
- Up/Down Arrows or Ctrl-P move backwards through command history and Ctrl-N move forward through command history
Configuration
- Deactivate - configuration is not loaded
deactivate interfaces ae1 unit 2 activate interfaces ae1 unit 2
- Disable - Configuration is loaded by ignored
- Trunk - has vlan tags
- Access - naked ethernet
- Fx / ex0 = management
show configuration | display inheritance no-comments show configuration | display inheritance no-comments | display set | match foo
Loading config
configure private load replace /var/tmp/someconfig.cfg show | compare commit check commit <synchronize> and-quit
Patch / exclude group from leaf
load patch terminal
[edit access profile aaa-profile radius] - apply-groups-except BNGRadius; + apply-groups-except [ BNGRadius BNGRadiusLab ]; + authentication-server 10.0.0.1; + accounting-server 10.0.0.1;
ctrl-d
Quick backup and rollback
Save a full copy of the current config - in conf mode just issue
save /var/tmp/hostname.conf
To restore back to exactly as you left it issue
load override /var/tmp/hostname.conf
Mount a USB
Connect to the shell with start shell See a list of existing partitions with ls /dev/da* Plugin the USB drive; A list of mount information will appear Run ls /dev/da* again, and see an additional partition is available, such as /dev/da1s1 Create a mount point with mkdir /var/tmp/usb Mount the partition with mount_msdosfs [partition] /var/tmp/usb Copy files as required with cp Unmount the partition with umount /var/tmp/usb Remove the USB drive
Common MX Interfaces
ge
Gbit (Fibre)
xe
10Gb
et
100Gb (some 10Gb, 40Gb, 100GB)
xe-1/2/0.1
Vlan tag 1
xe-1/2/0:1
40Gb interface channelised to operate as individual 10Gb interfaces (since 40Gb = 4 x 10Gb physically anyhow) PLR4 Optic
N.B set chassis fpc 1 pic 2 port 0 channel-speed 10g
L2 - L3 MTU
The following sets a 1500 L2 MTU (thus L3 less headers)
interfaces { <*> { unit <*> { encapsulation ethernet; mtu 1500; family inet { rpf-check; filter { input inet-somefilter-in; } } } } }
The following sets a 1500 L3 MTU (no matter how the service arrived at the port - non-tagged, 1 tag or 2 vlan tags)
interfaces { <*> { unit <*> { encapsulation ethernet; family inet { mtu 1500; rpf-check; filter { input inet-somefilter-in; } } } } }
LAG Issues
https://kb.juniper.net/InfoCenter/index?page=content&id=KB19798
Show Lag members:
user@router> show lacp interfaces Aggregated interface: ae1 LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity xe-0/1/1 Actor No No Yes Yes Yes Yes Fast Active xe-0/1/1 Partner No No Yes Yes Yes Yes Fast Active xe-0/1/0 Actor No No Yes Yes Yes Yes Fast Active xe-0/1/0 Partner No No Yes Yes Yes Yes Fast Active LACP protocol: Receive State Transmit State Mux State xe-0/1/1 Current Fast periodic Collecting distributing xe-0/1/0 Current Fast periodic Collecting distributing
Normal config:
set interfaces ae1 description "Ultimate LAG" set interfaces ae1 flexible-vlan-tagging set interfaces ae1 mtu 9100 set interfaces ae1 encapsulation flexible-ethernet-services set interfaces ae1 aggregated-ether-options lacp active
set interfaces xe-0/1/0 description "Im a member of a LAG | member of ae1" set interfaces xe-0/1/0 gigether-options 802.3ad ae1
Take an interface out of a lag
deactivate interfaces xe-0/1/0 gigether-options
Put an interface back into a lag
activate interfaces xe-0/1/0 gigether-options
Routing
BGP
Display all routes in a routing-instance (cant use auto complete)
show route table <routing-instance_name>
show route receive-protocol bgp <neighbour IP> show route instance <name> detail deactivate routing-instances <name> protocols bgp group <group name / Domestic> neighbour <IP>
What mpls connections there are
show bgp summary
get the IPAddress of the connection (looking for advertised prefixes)
show bgp neighbour 123.123.123.123
Find out what the advertised prefixes are
show route advertising-protocol bgp 123.123.123.123
Change isis metric (set it high so traffic will not perfer this interface
set protocols isis interface et-0/0/16.0 level 2 metric 200
Do the same but via a group - remember to do it at both ends!
set groups AvoidLink apply-flags omit set groups AvoidLink protocols isis interface <*> level 2 metric 500 set protocols isis interface xe-1/2/2.0 apply-groups AvoidLink set protocols isis interface xe-1/2/4.0 apply-groups AvoidLink
Prefix Limits
Find the limints at PeeringDB https://www.peeringdb.com/
set routing-instances IXname protocols bgp group Bilat-ASname description ASname set routing-instances IXname protocols bgp group Bilat-ASname peer-as 123456 set routing-instances IXname protocols bgp group Bilat-ASname neighbor [ipv4address] family inet unicast prefix-limit maximum 350 set routing-instances IXname protocols bgp group Bilat-ASname neighbor [ipv6address] family inet6 unicast prefix-limit maximum 350
MTU testing
ping routing-instance <name> <IP> size 1500
Routes learned from a peer
show route receive-protocol bgp 255.251.186.255 table someone.inet<pre> ==== Disable an interface carrying MPLS ==== * Disable ISIS @ both ends <code>set protocols isis interface [x] level 2 metric 30 disable</code> * Wait for tarffic to close /end then shutdown the interface === Reserved Capacity=== <pre> user@host> show rsvp interface et-0/0/8.0 detail et-0/0/8.0 Index 564, State Ena/Up NoAuthentication, Aggregate, Reliable, LinkProtection HelloInterval 9(second) Address 10.55.88.8 ActiveResv 731, PreemptionCnt 0, Update threshold 10%, MaxResvTh 0bps, 0% Subscription 100%, StaticBW 100Gbps, AvailableBW 51.7439Gbps, Actual 100% ReservedBW [0] 0bps[1] 0bps[2] 0bps[3] 21.6205Gbps[4] 0bps[5] 0bps[6] 26.6356Gbps[7] 0bps
3 is Primary, 6 is Secondary - reserved capacity
CGN
show services nat mappings address-pooling-paired
BNG Subscribers
PPPoE config and examples https://tgregory.org/tag/juniper-mx-bng/
Count number of subscribers per pseudo wire
show subscribers physical-interface ps13 client-type vlan count
Clearing subscribers, only need to clear the L3 sessions - this automatically clears the L2 sessions (or should):
clear dhcp relay binding routing-instance Customers dual-stack 116.yyy.yyy.yyy or
clear dhcp relay binding routing-instance Customers ps1.xxxx clear dhcpv6 relay binding routing-instance Customers ps1.xxxx
clear dhcpv6 relay binding routing-instance Customers ps0.* clear dhcpv6 relay binding routing-instance Customers ps2.* clear dhcpv6 relay binding routing-instance Customers ps3.* clear dhcpv6 relay binding routing-instance Customers ps4.*
- or PPPoE subs:
clear pppoe sessions pp0.3221225754
- Clear the VLAN interface
clear auto-configuration interfaces ps6.3221273839
Show the dynamic-profile attributes that are applied and their values to a subscriber session
show dynamic-configuration session information session-id <session-id>
ddos
show ddos-protection protocols dhcpv6 violations jddosd[20065]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception Sample:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 181 times, from 2017-09-30 12:36:18 NZDT to 2017-09-30 12:36:28 NZDT
Firewalls SRX
Firewalls - IP Spoofing
If there is a rule that is meant to allow the flow, most probable that the source address has no route, so the firewall drops the traffic before the rule is attempted. [junos@2636.1.1.1.2.137 attack-name="IP spoofing!" source-address="10.0.0.27" destination-address="10.254.254.10" protocol-id="17" source-zone-name="ZONE_A" interface-name="xe-0/0/17.9" action="drop"]
Flows - Debugging
show security flow session destination-prefix 192.168.1.5/32.
clear security flow session interface ge-0/0/1.1 destination-prefix 192.168.1.5/32
Failover
Login on console as admin/root (as authentication may not be working)
Identify node vs device name - also look at the prompt
show chassis routing-engine node0: -------------------------------------------------------------------------- Routing Engine status: CPU temperature 62 degrees C / 143 degrees F ... node1: -------------------------------------------------------------------------- Routing Engine status: Temperature 38 degrees C / 100 degrees F CPU temperature 65 degrees C / 149 degrees F ... {primary:node1} user@hostname>
Show Cluster
show chassis cluster status
Cluster ID: 3 Node Priority Status Preempt Manual Monitor-failures Redundancy group: 0 , Failover count: 1 node0 0 secondary no yes CF node1 255 primary no yes None Redundancy group: 1 , Failover count: 1 node0 0 secondary no no IF CS CF node1 1 primary no no None Redundancy group: 2 , Failover count: 1 node0 0 secondary no no IF CS CF node1 1 primary no no None
If its already been failed over manually, this will need to be reset:
request chassis cluster failover reset redundancy-group 0
Kick over the cluster
> request chassis cluster failover redundancy-group 0 node 1 node1: -------------------------------------------------------------------------- Initiated manual failover for redundancy group 0
Then reboot the affected side of the cluster
request system reboot node 0
Inital Build
request system configuration rescue save request system autorecovery state save request system snapshow slice alternative
Root Password recovery
https://kb.juniper.net/InfoCenter/index?page=content&id=KB12167&cat=MANAGEMENT_SW&actp=LIST
Recover an encrypted password
request system decrypt password "$9$abcd/somehash"
Login to unresponsive RE
request routing-engine login other-routing-engine request routing-engine login (backup | master | other-routing-engine | re0 | re1)
Hardware
show interfaces diagnostics optics xe-1/0/0 show system processes extensive | match chassisd help topic interfaces family show chassis hardware show chassis pic fpc-slot 0 pic-slot 0
- Ifdown
set interfaces ge-0/0/7 disable
- Ifup
delete set interfaces ge-0/0/7 disable
Monitor
Will only the traffic to/from the bng loopback
monitor traffic interface ps1.0
How packet stats in realtime
monitor interface ps4.12345
Copy between cluster nodes
file copy /var/tmp/abc.log node1:/var/log/
Packet Capture
monitor traffic interface ps5 size 1600 write-file filename.pcap