Difference between revisions of "Junos"
m |
m |
||
Line 169: | Line 169: | ||
=== Root Password recovery === | === Root Password recovery === | ||
https://kb.juniper.net/InfoCenter/index?page=content&id=KB12167&cat=MANAGEMENT_SW&actp=LIST | https://kb.juniper.net/InfoCenter/index?page=content&id=KB12167&cat=MANAGEMENT_SW&actp=LIST | ||
+ | |||
+ | == Login to unresponsive RE == | ||
+ | request routing-engine login other-routing-engine | ||
+ | request routing-engine login (backup | master | other-routing-engine | re0 | re1) | ||
==Hardware== | ==Hardware== |
Revision as of 04:32, 19 May 2020
Contents
Misc
Cisco vs Juniper commands https://networking.ringofsaturn.com/Cisco/ciscojuniper.php
Python on Junos hosts https://www.juniper.net/documentation/en_US/junos/topics/reference/general/junos-python-modules-on-device.html
- mount usb
- CLI Commands
- Junos RPM RTT, Jitter, Packetloss testing / probing
Service Requests - What to collect https://kb.juniper.net/InfoCenter/index?page=content&id=KB26990&actp=METADATA
Configuration
- Deactivate - configuration is not loaded
- Disable - Configuration is loaded by ignored
- Trunk - has vlan tags
- Access - naked ethernet
- Fx / ex0 = management
show configuration | display inheritance no-comments show configuration | display inheritance no-comments | display set | match foo
Loading config
configure private load replace /var/tmp/someconfig.cfg show | compare commit check commit <synchronize> and-quit
Patch / exclude group from leaf
load patch terminal
[edit access profile aaa-profile radius] - apply-groups-except BNGRadius; + apply-groups-except [ BNGRadius BNGRadiusLab ]; + authentication-server 10.0.0.1; + accounting-server 10.0.0.1;
ctrl-d
Mount a USB
Connect to the shell with start shell See a list of existing partitions with ls /dev/da* Plugin the USB drive; A list of mount information will appear Run ls /dev/da* again, and see an additional partition is available, such as /dev/da1s1 Create a mount point with mkdir /var/tmp/usb Mount the partition with mount_msdosfs [partition] /var/tmp/usb Copy files as required with cp Unmount the partition with umount /var/tmp/usb Remove the USB drive
Common MX Interfaces
ge
Gbit (Fibre)
xe
10Gb
et
100Gb (some 10Gb, 40Gb, 100GB)
xe-1/2/0.1
Vlan tag 1
xe-1/2/0:1
40Gb interface channelised to operate as individual 10Gb interfaces (since 40Gb = 4 x 10Gb physically anyhow)
LAG Issues
https://kb.juniper.net/InfoCenter/index?page=content&id=KB19798
Routing
Display all routes in a routing-instance (cant use auto complete)
show route table <routing-instance_name>
show route receive-protocol bgp <neighbour IP> show route instance <name> detail deactivate routing-instances <name> protocols bgp group <group name / Domestic> neighbour <IP>
What mpls connections there are
show bgp summary
get the IPAddress of the connection (looking for advertised prefixes)
show bgp neighbour 123.123.123.123
Find out what the advertised prefixes are
show route advertising-protocol bgp 123.123.123.123
Change isis metric (set it high so traffic will not perfer this interface
set protocols isis interface et-0/0/16.0 level 2 metric 200
Do the same but via a group - remember to do it at both ends!
set groups AvoidLink apply-flags omit set groups AvoidLink protocols isis interface <*> level 2 metric 500 set protocols isis interface xe-1/2/2.0 apply-groups AvoidLink set protocols isis interface xe-1/2/4.0 apply-groups AvoidLink
MTU testing
ping routing-instance <name> <IP> size 1500
Disable an interface carrying MPLS
- Disable ISIS @ both ends
set protocols isis interface [x] level 2 metric 30 disable
- Wait for tarffic to close /end then shutdown the interface
Reserved Capacity
user@host> show rsvp interface et-0/0/8.0 detail et-0/0/8.0 Index 564, State Ena/Up NoAuthentication, Aggregate, Reliable, LinkProtection HelloInterval 9(second) Address 10.55.88.8 ActiveResv 731, PreemptionCnt 0, Update threshold 10%, MaxResvTh 0bps, 0% Subscription 100%, StaticBW 100Gbps, AvailableBW 51.7439Gbps, Actual 100% ReservedBW [0] 0bps[1] 0bps[2] 0bps[3] 21.6205Gbps[4] 0bps[5] 0bps[6] 26.6356Gbps[7] 0bps
3 is Primary, 6 is Secondary - reserved capacity
CGN
show services nat mappings address-pooling-paired
BNG Subscribers
Count number of subscribers per pseudo wire
show subscribers physical-interface ps13 client-type vlan count
Clearing subscribers, only need to clear the L3 sessions - this automatically clears the L2 sessions (or should):
clear dhcp relay binding routing-instance Customers dual-stack 116.yyy.yyy.yyy or
clear dhcp relay binding routing-instance Customers ps1.xxxx clear dhcpv6 relay binding routing-instance Customers ps1.xxxx
clear dhcpv6 relay binding routing-instance Customers ps0.* clear dhcpv6 relay binding routing-instance Customers ps2.* clear dhcpv6 relay binding routing-instance Customers ps3.* clear dhcpv6 relay binding routing-instance Customers ps4.*
- or PPPoE subs:
clear pppoe sessions pp0.3221225754
- Clear the VLAN interface
clear auto-configuration interfaces ps6.3221273839
Show the dynamic-profile attributes that are applied and their values to a subscriber session
show dynamic-configuration session information session-id <session-id>
ddos
show ddos-protection protocols dhcpv6 violations jddosd[20065]: DDOS_PROTOCOL_VIOLATION_CLEAR: INFO: Host-bound traffic for protocol/exception Sample:aggregate has returned to normal. Its allowed bandwith was exceeded at fpc 1 for 181 times, from 2017-09-30 12:36:18 NZDT to 2017-09-30 12:36:28 NZDT
Firewalls - IP Spoofing
If there is a rule that is meant to allow the flow, most probable that the source address has no route, so the firewall drops the traffic before the rule is attempted. [junos@2636.1.1.1.2.137 attack-name="IP spoofing!" source-address="10.0.0.27" destination-address="10.254.254.10" protocol-id="17" source-zone-name="ZONE_A" interface-name="xe-0/0/17.9" action="drop"]
Inital Build
request system configuration rescue save request system autorecovery state save request system snapshow slice alternative
Root Password recovery
https://kb.juniper.net/InfoCenter/index?page=content&id=KB12167&cat=MANAGEMENT_SW&actp=LIST
Login to unresponsive RE
request routing-engine login other-routing-engine request routing-engine login (backup | master | other-routing-engine | re0 | re1)
Hardware
show interfaces diagnostics optics xe-1/0/0 show system processes extensive | match chassisd help topic interfaces family
- Ifdown
set interfaces ge-0/0/7 disable
- Ifup
delete set interfaces ge-0/0/7 disable
Monitor
Will only the traffic to/from the bng loopback
monitor traffic interface ps1.0
How packet stats in realtime
monitor interface ps4.12345
Copy between cluster nodes
file copy /var/tmp/abc.log node1:/var/log/