20 KiB
Juniper switch tips and tricks
Setting options
ssh to the switch, you will see the prompt
username@YOURSWITCHNAME>
To set certain options you need to go to configuration mode
username@YOURSWITCHNAME> edit
Entering configuration mode
[edit]
username@YOURSWITCHNAME#
You can see prompt changed, now you can set options.
[edit]
username@YOURSWITCHNAME# set system host-name YOURSWITCHNAME
[edit]
username@YOURSWITCHNAME# set system root-authentication plain-text-password
New password:
Retype new password:
etc etc
After you finished adding changes, you can verify them by issuing command
[edit]
username@YOURSWITCHNAME# show | compare
It will show you the difference between current configuration and the one you are going to commit.
If you are happy with the changes, you can commit them in "confirmed" mode, similar to Mikrotik "safe mode"
[edit]
username@YOURSWITCHNAME# commit confirmed 5
This will commit the changes and will rollback them in 5 minutes if you don't confirm them. So if you made a mistake and you are locked out of the switch, you can still wait 5 minutes and it will rollback to previous configuration. But if everything is fine, you can confirm the changes by issuing command
[edit]
username@YOURSWITCHNAME# commit
commit complete
You can directly go to commit step if you are absolutely sure what you are doing, and changes wont lock you out of the switch.
Users management
- WARNING! Seems new junos doesn't allow to ssh user root *
Changing root password
set system root-authentication plain-text-password
NEVER set easy passwords, you might lose your device as soon as it is connected to internet.
Adding new user
set system login user USERNAME class super-user authentication plain-text-password
NEVER set easy passwords, you might lose your device as soon as it is connected to internet.
Adding new user with SSH key
set system login user USERNAME class super-user authentication ssh-rsa "USERKEY"
Firewall
Set firewall for management interface
set interface lo0 unit 0 family inet filter input MANAGEMENT
set firewall family inet filter MANAGEMENT term MANAGEMENT from source-address x.x.x.x/32
set firewall family inet filter MANAGEMENT term MANAGEMENT then accept
set firewall family inet filter MANAGEMENT term default then discard
Make sure to use commit confirmed, otherwise you might lock yourself out of the switch. You might need to add also BGP of Ogero IP addresses to the firewall, sometimes allow ICMP protocol for troubleshooting. THIS IS IMPORTANT STEP TO SECURE THE SWITCH
Monitoring and misc
Add SNMP community for monitoring
set snmp community COMMUNITY authorization read-only
Please make complex name for COMMUNITY, as it can be guessed or bruteforced.
Add NTP server
set system ntp server x.x.x.x
set system time-zone Asia/Beirut
It is highly recommended to have NTP server, as it will help you to troubleshoot problems in the future, as logs will have correct time.
Filtering license flood messages
system {
syslog {
file messages {
any notice;
authorization info;
match "!(.*BGP Routing Protocol usage requires a license.*)";
}
}
}
This will prevent early wearout of your flash memory, as license messages are written to the log every 10 seconds.
syslog audit
It is recommended to send syslog to remote host, in case of incidents, offender cannot remove them:
system {
syslog {
host x.x.x.x {
any notice;
authorization info;
match "!(.*BGP Routing Protocol usage requires a license.*)";
}
}
}
Tuning
After installing switch it is recommended to do certain tuning (which i often forget) to avoid problems in the future.
EX4500, EX4550
chassis {
fpc 0 {
pic 0 {
q-pic-large-buffer;
}
}
}
Set the large buffer on the EX-series switches. (Doesn't work on all model), might help to avoid packetloss at high utilization.
class-of-service {
shared-buffer {
percent 100;
}
}
Not sure this tuning useful, to be researched.
All models
interfaces {
xe-0/0/0 {
ether-options {
no-flow-control;
}
Disable flow control on all interfaces. Flow control in ISP environment is not recommended, it can cause packetloss and various network issues.
VLANs
Create L2 VLAN between 2 interfaces
Create VLAN name with associated VLAN ID Then set on interfaces the VLAN name and the port mode to trunk
set vlans CUSTOMER100 vlan-id 100
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members CUSTOMER100
set interfaces ge-0/0/0 unit 0 family ethernet-switching port mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members CUSTOMER100
set interfaces ge-0/0/1 unit 0 family ethernet-switching port mode trunk
As you might notice, you can also set port mode to access, this means port will send traffic of vlan "untagged" (without vlan tag). If interface set to access, you cannot have more than one "member" VLAN.
Create L3 VLAN
If you want to create a L3 VLAN, you need to create a VLAN name with id and set l3-interface, then set the interface with the IP address, and assign the VLAN to some interface.
Note, name of the VLAN interface is vlan.id on EX4500, EX4550, smaller series, and irb.id on EX4600, EX8200, EX9200, QFX Series. I am giving example for EX4500
set vlans CUSTOMER100 vlan-id 100
set vlans CUSTOMER100 l3-interface vlan.100
set interfaces vlan unit 100 family inet address 192.168.1.1/24
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members CUSTOMER100
set interfaces ge-0/0/0 unit 0 family ethernet-switching port mode access
Create tagged with native VLAN
If you want to create a tagged VLAN with one VLAN passing as untagged, native VLAN, you need to set the following:
EX4500, EX4550
xe-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ VLANTRUNK1 VLANTRUNK2 VLANTRUNK3 VLANSOMETHING ];
}
native-vlan-id OTHERVLAN;
}
}
}
QFX, EX4600, EX8200, EX9200
et-0/0/50 {
native-vlan-id 603;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ VLAN1 VLANOTHER VLANTHIRD ];
}
}
}
}
Routing
Static routing
routing-options {
static {
route x.x.x.x/y next-hop z.z.z.z;
}
}
Add static route to x.x.x.x/y via z.z.z.z
BGP
Typical setup with Ogero, you will have 2 BGP sessions, one for IPv4 and one for IPv6. You will receive default route from Ogero, and you will send your prefixes to Ogero. We will skip IPv6 for now.
protocols {
bgp {
group OGERO {
type external;
local-address x.x.x.x;
family inet {
unicast;
}
neighbor y.y.y.y {
peer-as 42020;
authentication-key "$9$xxxxxxxxxxxxxxxxxxxxx";
}
export [ OGERO-EXPORT ];
import [ OGERO-IMPORT ];
}
}
}
policy-options {
policy-statement OGERO-EXPORT {
term OGERO-EXPORT {
from {
route-filter a.a.a.a/24 exact;
route-filter b.b.b.b/24 exact;
}
then accept;
}
}
policy-statement OGERO-IMPORT {
term OGERO-IMPORT {
then accept;
}
}
}
- x.x.x.x is your peer IP address and y.y.y.y is Ogero IP address.
- a.a.a.a/24 and b.b.b.b/24 are your prefixes you want to send to Ogero.
Also dont forget to set your ASN in routing-options
set routing-options autonomous-system 12345
Bonding
Don't forget to set number of bonding interfaces
chassis {
aggregated-devices {
ethernet {
device-count 15;
}
}
}
Then bonding itself:
xe-0/0/6 {
description IXMANAGER-eth3;
ether-options {
802.3ad ae6;
}
}
xe-0/0/7 {
description IXMANAGER-eth4;
ether-options {
802.3ad ae6;
}
}
ae6 {
description IXMANAGER;
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members [ IXMANAGER ];
}
}
}
}
FBF
EX4500, EX4550
routing-instances {
route-tonat {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.0.252.2;
}
}
}
}
routing-options {
interface-routes {
rib-group inet fbf-group;
}
rib-groups {
fbf-group {
import-rib [ inet.0 route-tonat.inet.0 ];
}
}
}
firewall {
family inet {
filter mainvlan-in {
term bypass {
from {
destination-address {
10.0.0.0/8;
192.168.0.0/16;
91.240.80.0/22;
172.16.0.0/12;
}
}
then accept;
}
term tonat {
from {
source-address {
10.0.0.0/8;
192.168.0.0/16;
172.16.0.0/12;
}
}
then {
routing-instance route-tonat;
}
}
term default {
then accept;
}
}
}
}
interfaces {
vlan {
unit 100 {
family inet {
filter {
input mainvlan-in;
}
address x.x.x.x/24;
}
}
}
}
Diagnostics
SFP signal monitoring
If your SFP support DDMI, you can monitor the signal strength of the SFP. This is useful to see if the SFP is working properly or not.
admin@CORE> show interfaces diagnostics optics xe-0/0/0
Physical interface: xe-0/0/0
Laser bias current : 8.370 mA
Laser output power : 0.6260 mW / -2.03 dBm
Module temperature : 40 degrees C / 104 degrees F
Module voltage : 3.2510 V
Receiver signal average optical power : 0.4357 mW / -3.61 dBm
Laser bias current high alarm : Off
Laser bias current low alarm : Off
Laser bias current high warning : Off
Laser bias current low warning : Off
Laser output power high alarm : Off
Laser output power low alarm : Off
Laser output power high warning : Off
Laser output power low warning : Off
Module temperature high alarm : Off
Module temperature low alarm : Off
Module temperature high warning : Off
Module temperature low warning : Off
Module voltage high alarm : Off
Module voltage low alarm : Off
Module voltage high warning : Off
Module voltage low warning : Off
Laser rx power high alarm : Off
Laser rx power low alarm : Off
Laser rx power high warning : Off
Laser rx power low warning : Off
Laser bias current high alarm threshold : 100.000 mA
Laser bias current low alarm threshold : 0.000 mA
Laser bias current high warning threshold : 90.000 mA
Laser bias current low warning threshold : 0.100 mA
Laser output power high alarm threshold : 1.2580 mW / 1.00 dBm
Laser output power low alarm threshold : 0.1990 mW / -7.01 dBm
Laser output power high warning threshold : 1.0000 mW / 0.00 dBm
Laser output power low warning threshold : 0.2510 mW / -6.00 dBm
Module temperature high alarm threshold : 90 degrees C / 194 degrees F
Module temperature low alarm threshold : -5 degrees C / 23 degrees F
Module temperature high warning threshold : 85 degrees C / 185 degrees F
Module temperature low warning threshold : 0 degrees C / 32 degrees F
Module voltage high alarm threshold : 3.800 V
Module voltage low alarm threshold : 2.700 V
Module voltage high warning threshold : 3.700 V
Module voltage low warning threshold : 2.800 V
Laser rx power high alarm threshold : 1.0000 mW / 0.00 dBm
Laser rx power low alarm threshold : 0.0501 mW / -13.00 dBm
Laser rx power high warning threshold : 0.7943 mW / -1.00 dBm
Laser rx power low warning threshold : 0.0631 mW / -12.00 dBm
Which means:
First quickly go thru list of alarms and warnings, if you see any of them, you have a problem with SFP or fiber.
Second check values, to have estimation.
- Receiver signal average optical power : 0.4357 mW / -3.61 dBm
Means the signal is good, and the SFP is working properly.
Usually signal should vary between " Laser rx power high warning threshold : 0.7943 mW / -1.00 dBm" and "Laser rx power low warning threshold : 0.0631 mW / -12.00 dBm". Which means if it is below -12dBm or above -1dBm, you have a problem. Too low signal usually means either problem with SFP degradation or fiber attenuation(damaged?). Too high signal usually means too much light is coming to the receiver, which can be caused by too high power SFP TX on other side + too short fiber for such type of SFP, this might cause receiver burnout.
You might also watch out for "borderline" values, which are close to the threshold, this might indicate that you have a problem, but it is not critical yet.
- Laser bias current : 8.370 mA
Similar, you need to be within bounds set by "bias current".
Watch out also for SFP temperatures, if it is too high, it might indicate that SFP is overheating, and likely will degrade soon.
Check inventory
Usually it is used to verify list of plugged in SFPs, but it also shows other hardware.
admin@CORE> show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis ZZZZ EX4500-40F
Routing Engine 0 REV 08 750-035702 ZZZZ EX4500-40F
FPC 0 REV 08 750-035702 ZZZZ EX4500-40F
CPU BUILTIN BUILTIN FPC CPU
PIC 0 BUILTIN BUILTIN 40x 1/10GE
Xcvr 0 REV 01 740-021308 I0512280053 SFP+-10G-SR
Xcvr 1 NON-JNPR CI151116245 SFP-T
Xcvr 2 REV 01 740-031980 F172JU01652 SFP+-10G-SR
Xcvr 3 REV 01 740-031980 F172JU01651 SFP+-10G-SR
Xcvr 4 REV 01 740-021308 I0512280054 SFP+-10G-SR
Xcvr 5 REV 01 740-031981 F172JU02038 SFP+-10G-LR
New SFP not working
This might happen on Junipers, while they work with most of SFP, some might be not compatible.
If you plugged in new SFP and it is not working, you can check if it is recognized by the switch. Check by following commands:
show chassis hardware
show interfaces diagnostics optics **-0/0/0
show interface **-0/0/0 extensive
** should be replaced by interface name, for example xe-0/0/0, but you need to assume sometimes 1G, 10G not detected correctly, so you might need to check all possible types, like ge and xe.
For last command attention on lines like this:
Physical interface: xe-0/0/0, Enabled, Physical link is Up
Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Speed: 10Gbps, Duplex: Full-Duplex, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Media type: Fiber
If physical link is Down it might also means SFP is non-standard, not detected correctly and not working. Check also if Speed, Media type match specification.
Packetloss
If you suspect packetloss on some link, juniper have nice "flood" ping commands.
admin@CORE> ping 10.0.252.2 count 1000 rapid
PING 10.0.252.2 (10.0.252.2): 56 data bytes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
--- 10.0.252.2 ping statistics ---
1000 packets transmitted, 1000 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.572/2.286/13.992/2.207 ms
This will send 1000 packets as fast as possible, and will show you packetloss and RTT. While you can ignore RTT, as control plane dont have high priority, packetloss should not be present in any case.
BGP troubleshooting
If you have BGP session with Ogero, and it is not working, you can check if you have BGP session established by following command:
admin@CORE> show bgp summary
Groups: 1 Peers: 1 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0
1 1 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
y.y.y.y 42020 0 0 0 0 1:01 1/1/1/0 0/0/0/0
If you see "State" column, it should be "Established", if it is not, you have a problem with BGP session.
You can check if you have BGP routes sent by following command:
admin@CORE> show route advertising-protocol bgp y.y.y.y
inet.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* x.y.a.x/22 Self I
* b.b.b.b/22 Self I
If you see your prefixes, it means you are sending them to Ogero.
You might use also "show bgp neighbor x.x.x.x" to see more detailed information about BGP session.
MAC address table size
Keep an eye on EX4500 and EX4550 and don't exceed ~6000 MAC addresses, as it might cause problems with switch. This switch have 16k MAC addresses, but it have hash collision problems, so it is recommended to keep it below 6k. If you have more than 6000 MAC addresses, you might need to upgrade to better switch. There is a trick when you can disable MAC learning on some interfaces, but you have to meet one condition - only TWO interfaces should have this VLAN enabled, otherwise you will have unicast flood problem. Learning on VLAN can be disabled by following command:
set vlans VLANNAME no-mac-learning
Verifying MAC address table size:
admin@CORE> show ethernet-switching table brief
Attention on header: "Ethernet-switching table: 477 entries, 239 learned, 0 persistent entries"
Monitoring routing engine CPU
admin@CORE> show chassis routing-engine
It is recommended to not have load average values more than 1.0 - 2.0.
Searching particular user mac on ports
admin@CORE> show ethernet-switching table | match MACADDRESS
MACADDRESS should be replaced by MAC address of the user, for example 00:11:22:33:44:55