khodor/documentation
0
0
Fork 0
forked from spinesystemspublic/documentation
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add juniper docs

Browse Source
This commit is contained in:
Denys Fedoryshchenko
2023-08-31 09:11:23 +03:00
parent 3a64bfdfff
commit 8fc13c9b91
1 changed files with 276 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Juniper.md
+276
View File
@@ -0,0 +1,276 @@
# Juniper switch tips and tricks
## Setting options
ssh to the switch, you will see the prompt
```
username@YOURSWITCHNAME>
```
To set certain options you need to go to configuration mode
```
username@YOURSWITCHNAME> edit
Entering configuration mode
[edit]
username@YOURSWITCHNAME#
```
You can see prompt changed, now you can set options.
```
[edit]
username@YOURSWITCHNAME# set system host-name YOURSWITCHNAME
[edit]
username@YOURSWITCHNAME# set system root-authentication plain-text-password
New password:
Retype new password:
```
etc etc
After you finished adding changes, you can verify them by issuing command
```
[edit]
username@YOURSWITCHNAME# show | compare
```
It will show you the difference between current configuration and the one you are going to commit.
If you are happy with the changes, you can commit them in "confirmed" mode, similar to Mikrotik "safe mode"
```
[edit]
username@YOURSWITCHNAME# commit confirmed 5
```
This will commit the changes and will rollback them in 5 minutes if you don't confirm them. So if you made a mistake and you are locked out of the switch, you can still wait 5 minutes and it will rollback to previous configuration.
But if everything is fine, you can confirm the changes by issuing command
```
[edit]
username@YOURSWITCHNAME# commit
commit complete
```
You can directly go to commit step if you are absolutely sure what you are doing, and changes wont lock you out of the switch.
## Tuning
After installing switch it is recommended to do certain tuning (which i often forget) to avoid problems in the future.
### EX4500, EX4550
```
chassis {
fpc 0 {
pic 0 {
q-pic-large-buffer;
}
}
}
```
Set the large buffer on the EX-series switches. (Doesn't work on all model), might help to avoid packetloss at high utilization.
```
class-of-service {
shared-buffer {
percent 100;
}
}
```
Not sure this tuning useful, to be researched.
### All models
```
interfaces {
xe-0/0/0 {
ether-options {
no-flow-control;
}
```
Disable flow control on all interfaces. Flow control in ISP environment is not recommended, it can cause packetloss and various network issues.
## VLANs
### Create L2 VLAN between 2 interfaces
Create VLAN name with associated VLAN ID
Then set on interfaces the VLAN name and the port mode to trunk
```
set vlans CUSTOMER100 vlan-id 100
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members CUSTOMER100
set interfaces ge-0/0/0 unit 0 family ethernet-switching port mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members CUSTOMER100
set interfaces ge-0/0/1 unit 0 family ethernet-switching port mode trunk
```
As you might notice, you can also set port mode to access, this means port will send traffic of vlan "untagged" (without vlan tag). If interface set to access, you cannot have more than one "member" VLAN.
### Create L3 VLAN
If you want to create a L3 VLAN, you need to create a VLAN name with id and set l3-interface, then set the interface with the IP address,
and assign the VLAN to some interface.
Note, name of the VLAN interface is vlan.id on EX4500, EX4550, smaller series, and irb.id on EX4600, EX8200, EX9200, QFX Series. I am giving example for EX4500
```
set vlans CUSTOMER100 vlan-id 100
set vlans CUSTOMER100 l3-interface vlan.100
set interfaces vlan unit 100 family inet address 192.168.1.1/24
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members CUSTOMER100
set interfaces ge-0/0/0 unit 0 family ethernet-switching port mode access
```
### Create tagged with native VLAN
If you want to create a tagged VLAN with one VLAN passing as untagged, native VLAN, you need to set the following:
EX4500, EX4550
```
xe-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ VLANTRUNK1 VLANTRUNK2 VLANTRUNK3 VLANSOMETHING ];
}
native-vlan-id OTHERVLAN;
}
}
}
```
QFX, EX4600, EX8200, EX9200
```
et-0/0/50 {
native-vlan-id 603;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ VLAN1 VLANOTHER VLANTHIRD ];
}
}
}
}
```
## BGP
Typical setup with Ogero, you will have 2 BGP sessions, one for IPv4 and one for IPv6. You will receive default route from Ogero, and you will send your prefixes to Ogero.
We will skip IPv6 for now.
```
protocols {
bgp {
group OGERO {
type external;
local-address x.x.x.x;
family inet {
unicast;
}
neighbor y.y.y.y {
peer-as 42020;
authentication-key "$9$xxxxxxxxxxxxxxxxxxxxx";
}
export [ OGERO-EXPORT ];
import [ OGERO-IMPORT ];
}
}
}
policy-options {
policy-statement OGERO-EXPORT {
term OGERO-EXPORT {
from {
route-filter a.a.a.a/24 exact;
route-filter b.b.b.b/24 exact;
}
then accept;
}
}
policy-statement OGERO-IMPORT {
term OGERO-IMPORT {
then accept;
}
}
}
```
* x.x.x.x is your peer IP address and y.y.y.y is Ogero IP address.
* a.a.a.a/24 and b.b.b.b/24 are your prefixes you want to send to Ogero.
## FBF
### EX4500, EX4550
```
routing-instances {
route-tonat {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.0.252.2;
}
}
}
}
routing-options {
interface-routes {
rib-group inet fbf-group;
}
rib-groups {
fbf-group {
import-rib [ inet.0 route-tonat.inet.0 ];
}
}
}
firewall {
family inet {
filter mainvlan-in {
term bypass {
from {
destination-address {
10.0.0.0/8;
192.168.0.0/16;
91.240.80.0/22;
172.16.0.0/12;
}
}
then accept;
}
term tonat {
from {
source-address {
10.0.0.0/8;
192.168.0.0/16;
172.16.0.0/12;
}
}
then {
routing-instance route-tonat;
}
}
term default {
then accept;
}
}
}
}
interfaces {
vlan {
unit 100 {
family inet {
filter {
input mainvlan-in;
}
address x.x.x.x/24;
}
}
}
}
```