Denys Fedoryshchenko
7.0 KiB
Juniper switch tips and tricks
Setting options
ssh to the switch, you will see the prompt
username@YOURSWITCHNAME>
To set certain options you need to go to configuration mode
username@YOURSWITCHNAME> edit
Entering configuration mode
[edit]
username@YOURSWITCHNAME#
You can see prompt changed, now you can set options.
[edit]
username@YOURSWITCHNAME# set system host-name YOURSWITCHNAME
[edit]
username@YOURSWITCHNAME# set system root-authentication plain-text-password
New password:
Retype new password:
etc etc
After you finished adding changes, you can verify them by issuing command
[edit]
username@YOURSWITCHNAME# show | compare
It will show you the difference between current configuration and the one you are going to commit.
If you are happy with the changes, you can commit them in "confirmed" mode, similar to Mikrotik "safe mode"
[edit]
username@YOURSWITCHNAME# commit confirmed 5
This will commit the changes and will rollback them in 5 minutes if you don't confirm them. So if you made a mistake and you are locked out of the switch, you can still wait 5 minutes and it will rollback to previous configuration. But if everything is fine, you can confirm the changes by issuing command
[edit]
username@YOURSWITCHNAME# commit
commit complete
You can directly go to commit step if you are absolutely sure what you are doing, and changes wont lock you out of the switch.
Tuning
After installing switch it is recommended to do certain tuning (which i often forget) to avoid problems in the future.
EX4500, EX4550
chassis {
fpc 0 {
pic 0 {
q-pic-large-buffer;
}
}
}
Set the large buffer on the EX-series switches. (Doesn't work on all model), might help to avoid packetloss at high utilization.
class-of-service {
shared-buffer {
percent 100;
}
}
Not sure this tuning useful, to be researched.
All models
interfaces {
xe-0/0/0 {
ether-options {
no-flow-control;
}
Disable flow control on all interfaces. Flow control in ISP environment is not recommended, it can cause packetloss and various network issues.
VLANs
Create L2 VLAN between 2 interfaces
Create VLAN name with associated VLAN ID Then set on interfaces the VLAN name and the port mode to trunk
set vlans CUSTOMER100 vlan-id 100
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members CUSTOMER100
set interfaces ge-0/0/0 unit 0 family ethernet-switching port mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members CUSTOMER100
set interfaces ge-0/0/1 unit 0 family ethernet-switching port mode trunk
As you might notice, you can also set port mode to access, this means port will send traffic of vlan "untagged" (without vlan tag). If interface set to access, you cannot have more than one "member" VLAN.
Create L3 VLAN
If you want to create a L3 VLAN, you need to create a VLAN name with id and set l3-interface, then set the interface with the IP address, and assign the VLAN to some interface.
Note, name of the VLAN interface is vlan.id on EX4500, EX4550, smaller series, and irb.id on EX4600, EX8200, EX9200, QFX Series. I am giving example for EX4500
set vlans CUSTOMER100 vlan-id 100
set vlans CUSTOMER100 l3-interface vlan.100
set interfaces vlan unit 100 family inet address 192.168.1.1/24
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members CUSTOMER100
set interfaces ge-0/0/0 unit 0 family ethernet-switching port mode access
Create tagged with native VLAN
If you want to create a tagged VLAN with one VLAN passing as untagged, native VLAN, you need to set the following:
EX4500, EX4550
xe-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ VLANTRUNK1 VLANTRUNK2 VLANTRUNK3 VLANSOMETHING ];
}
native-vlan-id OTHERVLAN;
}
}
}
QFX, EX4600, EX8200, EX9200
et-0/0/50 {
native-vlan-id 603;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ VLAN1 VLANOTHER VLANTHIRD ];
}
}
}
}
BGP
Typical setup with Ogero, you will have 2 BGP sessions, one for IPv4 and one for IPv6. You will receive default route from Ogero, and you will send your prefixes to Ogero. We will skip IPv6 for now.
protocols {
bgp {
group OGERO {
type external;
local-address x.x.x.x;
family inet {
unicast;
}
neighbor y.y.y.y {
peer-as 42020;
authentication-key "$9$xxxxxxxxxxxxxxxxxxxxx";
}
export [ OGERO-EXPORT ];
import [ OGERO-IMPORT ];
}
}
}
policy-options {
policy-statement OGERO-EXPORT {
term OGERO-EXPORT {
from {
route-filter a.a.a.a/24 exact;
route-filter b.b.b.b/24 exact;
}
then accept;
}
}
policy-statement OGERO-IMPORT {
term OGERO-IMPORT {
then accept;
}
}
}
- x.x.x.x is your peer IP address and y.y.y.y is Ogero IP address.
- a.a.a.a/24 and b.b.b.b/24 are your prefixes you want to send to Ogero.
FBF
EX4500, EX4550
routing-instances {
route-tonat {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.0.252.2;
}
}
}
}
routing-options {
interface-routes {
rib-group inet fbf-group;
}
rib-groups {
fbf-group {
import-rib [ inet.0 route-tonat.inet.0 ];
}
}
}
firewall {
family inet {
filter mainvlan-in {
term bypass {
from {
destination-address {
10.0.0.0/8;
192.168.0.0/16;
91.240.80.0/22;
172.16.0.0/12;
}
}
then accept;
}
term tonat {
from {
source-address {
10.0.0.0/8;
192.168.0.0/16;
172.16.0.0/12;
}
}
then {
routing-instance route-tonat;
}
}
term default {
then accept;
}
}
}
}
interfaces {
vlan {
unit 100 {
family inet {
filter {
input mainvlan-in;
}
address x.x.x.x/24;
}
}
}
}