# Juniper switch tips and tricks ## Setting options ssh to the switch, you will see the prompt ``` username@YOURSWITCHNAME> ``` To set certain options you need to go to configuration mode ``` username@YOURSWITCHNAME> edit Entering configuration mode [edit] username@YOURSWITCHNAME# ``` You can see prompt changed, now you can set options. ``` [edit] username@YOURSWITCHNAME# set system host-name YOURSWITCHNAME [edit] username@YOURSWITCHNAME# set system root-authentication plain-text-password New password: Retype new password: ``` etc etc After you finished adding changes, you can verify them by issuing command ``` [edit] username@YOURSWITCHNAME# show | compare ``` It will show you the difference between current configuration and the one you are going to commit. If you are happy with the changes, you can commit them in "confirmed" mode, similar to Mikrotik "safe mode" ``` [edit] username@YOURSWITCHNAME# commit confirmed 5 ``` This will commit the changes and will rollback them in 5 minutes if you don't confirm them. So if you made a mistake and you are locked out of the switch, you can still wait 5 minutes and it will rollback to previous configuration. But if everything is fine, you can confirm the changes by issuing command ``` [edit] username@YOURSWITCHNAME# commit commit complete ``` You can directly go to commit step if you are absolutely sure what you are doing, and changes wont lock you out of the switch. ## Tuning After installing switch it is recommended to do certain tuning (which i often forget) to avoid problems in the future. ### EX4500, EX4550 ``` chassis { fpc 0 { pic 0 { q-pic-large-buffer; } } } ``` Set the large buffer on the EX-series switches. (Doesn't work on all model), might help to avoid packetloss at high utilization. ``` class-of-service { shared-buffer { percent 100; } } ``` Not sure this tuning useful, to be researched. ### All models ``` interfaces { xe-0/0/0 { ether-options { no-flow-control; } ``` Disable flow control on all interfaces. Flow control in ISP environment is not recommended, it can cause packetloss and various network issues. ## VLANs ### Create L2 VLAN between 2 interfaces Create VLAN name with associated VLAN ID Then set on interfaces the VLAN name and the port mode to trunk ``` set vlans CUSTOMER100 vlan-id 100 set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members CUSTOMER100 set interfaces ge-0/0/0 unit 0 family ethernet-switching port mode trunk set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members CUSTOMER100 set interfaces ge-0/0/1 unit 0 family ethernet-switching port mode trunk ``` As you might notice, you can also set port mode to access, this means port will send traffic of vlan "untagged" (without vlan tag). If interface set to access, you cannot have more than one "member" VLAN. ### Create L3 VLAN If you want to create a L3 VLAN, you need to create a VLAN name with id and set l3-interface, then set the interface with the IP address, and assign the VLAN to some interface. Note, name of the VLAN interface is vlan.id on EX4500, EX4550, smaller series, and irb.id on EX4600, EX8200, EX9200, QFX Series. I am giving example for EX4500 ``` set vlans CUSTOMER100 vlan-id 100 set vlans CUSTOMER100 l3-interface vlan.100 set interfaces vlan unit 100 family inet address 192.168.1.1/24 set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members CUSTOMER100 set interfaces ge-0/0/0 unit 0 family ethernet-switching port mode access ``` ### Create tagged with native VLAN If you want to create a tagged VLAN with one VLAN passing as untagged, native VLAN, you need to set the following: EX4500, EX4550 ``` xe-0/0/1 { unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ VLANTRUNK1 VLANTRUNK2 VLANTRUNK3 VLANSOMETHING ]; } native-vlan-id OTHERVLAN; } } } ``` QFX, EX4600, EX8200, EX9200 ``` et-0/0/50 { native-vlan-id 603; unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ VLAN1 VLANOTHER VLANTHIRD ]; } } } } ``` ## BGP Typical setup with Ogero, you will have 2 BGP sessions, one for IPv4 and one for IPv6. You will receive default route from Ogero, and you will send your prefixes to Ogero. We will skip IPv6 for now. ``` protocols { bgp { group OGERO { type external; local-address x.x.x.x; family inet { unicast; } neighbor y.y.y.y { peer-as 42020; authentication-key "$9$xxxxxxxxxxxxxxxxxxxxx"; } export [ OGERO-EXPORT ]; import [ OGERO-IMPORT ]; } } } policy-options { policy-statement OGERO-EXPORT { term OGERO-EXPORT { from { route-filter a.a.a.a/24 exact; route-filter b.b.b.b/24 exact; } then accept; } } policy-statement OGERO-IMPORT { term OGERO-IMPORT { then accept; } } } ``` * x.x.x.x is your peer IP address and y.y.y.y is Ogero IP address. * a.a.a.a/24 and b.b.b.b/24 are your prefixes you want to send to Ogero. Also dont forget to set your ASN in routing-options ``` set routing-options autonomous-system 12345 ``` ## Bonding Don't forget to set number of bonding interfaces ``` chassis { aggregated-devices { ethernet { device-count 15; } } } ``` Then bonding itself: ``` xe-0/0/6 { description IXMANAGER-eth3; ether-options { 802.3ad ae6; } } xe-0/0/7 { description IXMANAGER-eth4; ether-options { 802.3ad ae6; } } ae6 { description IXMANAGER; aggregated-ether-options { lacp { active; } } unit 0 { family ethernet-switching { port-mode access; vlan { members [ IXMANAGER ]; } } } } ``` ## FBF ### EX4500, EX4550 ``` routing-instances { route-tonat { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 10.0.252.2; } } } } routing-options { interface-routes { rib-group inet fbf-group; } rib-groups { fbf-group { import-rib [ inet.0 route-tonat.inet.0 ]; } } } firewall { family inet { filter mainvlan-in { term bypass { from { destination-address { 10.0.0.0/8; 192.168.0.0/16; 91.240.80.0/22; 172.16.0.0/12; } } then accept; } term tonat { from { source-address { 10.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12; } } then { routing-instance route-tonat; } } term default { then accept; } } } } interfaces { vlan { unit 100 { family inet { filter { input mainvlan-in; } address x.x.x.x/24; } } } } ``` ## Diagnostics ### SFP signal monitoring If your SFP support DDMI, you can monitor the signal strength of the SFP. This is useful to see if the SFP is working properly or not. ``` admin@CORE> show interfaces diagnostics optics xe-0/0/0 Physical interface: xe-0/0/0 Laser bias current : 8.370 mA Laser output power : 0.6260 mW / -2.03 dBm Module temperature : 40 degrees C / 104 degrees F Module voltage : 3.2510 V Receiver signal average optical power : 0.4357 mW / -3.61 dBm Laser bias current high alarm : Off Laser bias current low alarm : Off Laser bias current high warning : Off Laser bias current low warning : Off Laser output power high alarm : Off Laser output power low alarm : Off Laser output power high warning : Off Laser output power low warning : Off Module temperature high alarm : Off Module temperature low alarm : Off Module temperature high warning : Off Module temperature low warning : Off Module voltage high alarm : Off Module voltage low alarm : Off Module voltage high warning : Off Module voltage low warning : Off Laser rx power high alarm : Off Laser rx power low alarm : Off Laser rx power high warning : Off Laser rx power low warning : Off Laser bias current high alarm threshold : 100.000 mA Laser bias current low alarm threshold : 0.000 mA Laser bias current high warning threshold : 90.000 mA Laser bias current low warning threshold : 0.100 mA Laser output power high alarm threshold : 1.2580 mW / 1.00 dBm Laser output power low alarm threshold : 0.1990 mW / -7.01 dBm Laser output power high warning threshold : 1.0000 mW / 0.00 dBm Laser output power low warning threshold : 0.2510 mW / -6.00 dBm Module temperature high alarm threshold : 90 degrees C / 194 degrees F Module temperature low alarm threshold : -5 degrees C / 23 degrees F Module temperature high warning threshold : 85 degrees C / 185 degrees F Module temperature low warning threshold : 0 degrees C / 32 degrees F Module voltage high alarm threshold : 3.800 V Module voltage low alarm threshold : 2.700 V Module voltage high warning threshold : 3.700 V Module voltage low warning threshold : 2.800 V Laser rx power high alarm threshold : 1.0000 mW / 0.00 dBm Laser rx power low alarm threshold : 0.0501 mW / -13.00 dBm Laser rx power high warning threshold : 0.7943 mW / -1.00 dBm Laser rx power low warning threshold : 0.0631 mW / -12.00 dBm ``` Which means: First quickly go thru list of alarms and warnings, if you see any of them, you have a problem with SFP or fiber. Second check values, to have estimation. * Receiver signal average optical power : 0.4357 mW / -3.61 dBm Means the signal is good, and the SFP is working properly. Usually signal should vary between " Laser rx power high warning threshold : 0.7943 mW / -1.00 dBm" and "Laser rx power low warning threshold : 0.0631 mW / -12.00 dBm". Which means if it is below -12dBm or above -1dBm, you have a problem. Too low signal usually means either problem with SFP degradation or fiber attenuation(damaged?). Too high signal usually means too much light is coming to the receiver, which can be caused by too high power SFP TX on other side + too short fiber for such type of SFP, this might cause receiver burnout. You might also watch out for "borderline" values, which are close to the threshold, this might indicate that you have a problem, but it is not critical yet. * Laser bias current : 8.370 mA Similar, you need to be within bounds set by "bias current". Watch out also for SFP temperatures, if it is too high, it might indicate that SFP is overheating, and likely will degrade soon. ### Check inventory Usually it is used to verify list of plugged in SFPs, but it also shows other hardware. ``` admin@CORE> show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis ZZZZ EX4500-40F Routing Engine 0 REV 08 750-035702 ZZZZ EX4500-40F FPC 0 REV 08 750-035702 ZZZZ EX4500-40F CPU BUILTIN BUILTIN FPC CPU PIC 0 BUILTIN BUILTIN 40x 1/10GE Xcvr 0 REV 01 740-021308 I0512280053 SFP+-10G-SR Xcvr 1 NON-JNPR CI151116245 SFP-T Xcvr 2 REV 01 740-031980 F172JU01652 SFP+-10G-SR Xcvr 3 REV 01 740-031980 F172JU01651 SFP+-10G-SR Xcvr 4 REV 01 740-021308 I0512280054 SFP+-10G-SR Xcvr 5 REV 01 740-031981 F172JU02038 SFP+-10G-LR ``` ### New SFP not working This might happen on Junipers, while they work with most of SFP, some might be not compatible. If you plugged in new SFP and it is not working, you can check if it is recognized by the switch. Check by following commands: ``` show chassis hardware show interfaces diagnostics optics **-0/0/0 show interface **-0/0/0 extensive ** should be replaced by interface name, for example xe-0/0/0, but you need to assume sometimes 1G, 10G not detected correctly, so you might need to check all possible types, like ge and xe. ``` For last command attention on lines like this: ``` Physical interface: xe-0/0/0, Enabled, Physical link is Up Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Speed: 10Gbps, Duplex: Full-Duplex, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Media type: Fiber ``` If physical link is Down it might also means SFP is non-standard, not detected correctly and not working. Check also if Speed, Media type match specification. ### Packetloss If you suspect packetloss on some link, juniper have nice "flood" ping commands. ``` admin@CORE> ping 10.0.252.2 count 1000 rapid PING 10.0.252.2 (10.0.252.2): 56 data bytes !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! --- 10.0.252.2 ping statistics --- 1000 packets transmitted, 1000 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.572/2.286/13.992/2.207 ms ``` This will send 1000 packets as fast as possible, and will show you packetloss and RTT. While you can ignore RTT, as control plane dont have high priority, packetloss should not be present in any case. ### BGP troubleshooting If you have BGP session with Ogero, and it is not working, you can check if you have BGP session established by following command: ``` admin@CORE> show bgp summary Groups: 1 Peers: 1 Down peers: 0 Table Tot Paths Act Paths Suppressed History Damp State Pending inet.0 1 1 0 0 0 0 Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped... y.y.y.y 42020 0 0 0 0 1:01 1/1/1/0 0/0/0/0 ``` If you see "State" column, it should be "Established", if it is not, you have a problem with BGP session. You can check if you have BGP routes sent by following command: ``` admin@CORE> show route advertising-protocol bgp y.y.y.y inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * x.y.a.x/22 Self I * b.b.b.b/22 Self I ``` If you see your prefixes, it means you are sending them to Ogero. You might use also "show bgp neighbor x.x.x.x" to see more detailed information about BGP session. ###