Difference between revisions of "Juniper"

From WTFwiki
Jump to navigation Jump to search
 
(35 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
= MX Routers =
 +
== Redundancy, Graceful Switchover, Graceful Restart, NSR, etc ==
 +
=== General HA ===
 +
* [http://www.juniper.net/techpubs/en_US/junos10.4/information-products/pathway-pages/high-availability/high-availability.html HA product info page]
 +
* [http://www.juniper.net/techpubs/en_US/junos10.4/topics/concept/high-availability-features-in-junos-introducing.html HA Features in JunOS Intro]
 +
* [http://www.juniper.net/techpubs/en_US/junos10.4/topics/concept/gres-overview.html GRES overview]
 +
 +
=== VRRP ===
 +
* [http://www.juniper.net/techpubs/en_US/junos10.4/topics/concept/vrrp-overview-ha.html VRRP overview]
 +
 +
=== In Service Software Upgrades (ISSU) ===
 +
* [http://www.juniper.net/techpubs/en_US/junos10.4/topics/concept/issu-oveview.html ISSU overview]
 +
 +
=== Non-Stop Routing ===
 +
* [http://www.juniper.net/techpubs/en_US/junos10.4/topics/reference/requirements/nsr-system-requirements.html NSR system requirements]
 +
* [http://www.juniper.net/techpubs/en_US/junos10.4/topics/concept/nsr-overview.html NSR overview]
 +
 +
=== Graceful Restart ===
 +
* [http://www.juniper.net/techpubs/en_US/junos10.4/topics/concept/graceful-restart-concepts.html GR Concepts]
 +
 +
== Misc Notes ==
 +
=== Isolating a customer to one provider ===
 +
* Use rib-group import-policy with a separate routing instance: see [http://www.juniper.net/techpubs/software/junos/junos64/swconfig64-routing/html/routing-summary50.html here]
 +
* To inject only a default route into the routing instance (x.x.x.x is provider):
 +
  set routing-instance [name] routing-options static route 0/0 next-hop x.x.x.x
 +
 +
Another way:
 +
* instance-type of virtual-router, use instance-import knob to reference a policy-statement
 +
Config example:
 +
<pre>
 +
interfaces {
 +
    vlan {
 +
        unit 100 {
 +
            family inet {
 +
                filter {
 +
                    input classify-vlans;
 +
                }
 +
                address 192.168.1.15/24;
 +
            }
 +
        }
 +
        unit 200 {                     
 +
            family inet {
 +
                filter {
 +
                    input classify-vlans;
 +
                }
 +
                address 192.168.2.15/24;
 +
            }
 +
        }
 +
    }
 +
}
 +
policy-options {
 +
    policy-statement accept-from-inet.0 {
 +
        term 1 {
 +
            then accept;
 +
        }
 +
    }
 +
}
 +
firewall {
 +
    family inet {
 +
        filter classify-vlans {
 +
            term route-to-isp1 {
 +
                from {
 +
                    source-address {
 +
                        192.168.1.0/24;
 +
                    }
 +
                }
 +
                then {
 +
                    routing-instance isp1;
 +
                }
 +
            }
 +
            term route-to-isp2 {
 +
                from {
 +
                    source-address {
 +
                        192.168.2.0/24;
 +
                    }
 +
                }
 +
                then {
 +
                    routing-instance isp2;
 +
                }
 +
            }
 +
            term default {
 +
                then accept;
 +
            }
 +
        }
 +
    }
 +
}
 +
routing-instances {
 +
    isp1 {
 +
        instance-type virtual-router;
 +
        interface vlan.100;
 +
        routing-options {
 +
            static {
 +
                route 0.0.0.0/0 next-hop 10.0.0.1;
 +
            }
 +
            instance-import accept-from-inet.0;
 +
        }                             
 +
    }                                 
 +
    isp2 {                             
 +
        instance-type virtual-router; 
 +
        interface vlan.200;           
 +
        routing-options {             
 +
            static {                   
 +
                route 0.0.0.0/0 next-hop 10.0.0.5;
 +
            }                         
 +
            instance-import accept-from-inet.0;
 +
        }                             
 +
    }                                 
 +
}
 +
</pre>
 +
 
= EX Switches =
 
= EX Switches =
== Helpful CLI commands ==
+
== Generic Info ==
 +
* [http://www.juniper.net/techpubs/en_US/junos10.4/topics/concept/ex-series-software-features-overview.html EX Series Switch Software Features Overview Matrix]
 +
* [http://www.juniper.net/techpubs/en_US/junos10.4/topics/reference/general/ex-series-l3-protocols-not-supported.html Layer 3 Protocols Not Supported on EX Series Switches]
 +
* [http://www.juniper.net/techpubs/en_US/junos10.4/topics/reference/general/ex-series-l3-protocols-supported.html Layer 3 Protocols Supported on EX Series Switches]
 +
*[[Setting up a mirrored port]]
 +
* [[ EX2200 DHCP - Snooping and IP-Guard]]
 +
 
 +
== Config Snippets ==
 +
=== Disabling Flow Control ===
 +
Flow control is enabled by default on all ports on at least EX3200, EX4200, and EX8216.  To disable:
 +
 
 +
  [edit interfaces]
 +
  +  interface-range flow-control {
 +
  +      member-range ge-0/0/0 to ge-2/0/23;
 +
  +      ether-options {
 +
  +          no-flow-control;
 +
  +      }
 +
  +  }
 +
 
 +
== Helpful shell commands ==
 
=== ifmon ===
 
=== ifmon ===
 
Time-elapsing interface counters: i/o bytes, i/o packets, errors, etc.<br/>
 
Time-elapsing interface counters: i/o bytes, i/o packets, errors, etc.<br/>
Line 62: Line 191:
 
Elapsed time  :      15+01:46:39
 
Elapsed time  :      15+01:46:39
 
</nowiki></pre>
 
</nowiki></pre>
 +
== Security ==
 +
To disable physical LCD menu: set chassis lcd fpc 0 maintenance-menu disable (repeat for each FPC)
 +
 +
== Firewall / Packet Filtering ==
 +
=== Generic Info ===
 +
==== External Documentation ====
 +
* [http://www.juniper.net/techpubs/en_US/junos10.1/topics/concept/firewall-filter-ex-series-overview.html#jd0e30 TechDoc: Firewall Filters for EX Series Switches Overview]
 +
* [http://www.juniper.net/techpubs/en_US/junos10.1/topics/reference/general/firewall-filter-ex-series-statements-supported.html TechDoc: Firewall Filter Configuration Statements Supported by JUNOS Software for EX Series Switches]
 +
* [http://www.juniper.net/techpubs/en_US/junos10.1/topics/example/firewall-filter-ex-series-configuring.html TechDoc: Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches]
 +
* [http://www.juniper.net/techpubs/en_US/junos10.1/topics/reference/requirements/firewall-filter-ex-series-match-conditions.html Firewall Filter Match Conditions and Actions for EX Series Switches]
 +
 +
== Archiving and Restore ==
 +
=== Archiving ===
 +
*[[Archiving configuration over SCP]]
 +
 +
== VLANs ==
 +
=== Generic Info ===
 +
 +
*[[Creating a Data and Voice Vlan with SSH access]]
  
= VLANs =
+
==== External Documentation ====
== Generic Info ==
 
 
* [http://www.juniper.net/techpubs/en_US/junos10.0/topics/concept/bridging-ex-series-understanding.html TechDoc: Understanding Bridging and VLANs on EX Series Switches]
 
* [http://www.juniper.net/techpubs/en_US/junos10.0/topics/concept/bridging-ex-series-understanding.html TechDoc: Understanding Bridging and VLANs on EX Series Switches]
  
== Tag Swapping (VLAN Translation) ==
+
=== Tag Swapping (VLAN Translation) ===
 +
==== External Documentation ====
 
* [http://kb.juniper.net/InfoCenter/index?page=content&id=KB16755&cat=JUNOS_EX&actp=LIST KB article: VLAN Translation on EX3200/EX4200]
 
* [http://kb.juniper.net/InfoCenter/index?page=content&id=KB16755&cat=JUNOS_EX&actp=LIST KB article: VLAN Translation on EX3200/EX4200]
 
* [http://www.juniper.net/techpubs/en_US/junos10.0/topics/reference/configuration-statement/mapping-bridging-ex-series.html TechDoc: "mapping"]
 
* [http://www.juniper.net/techpubs/en_US/junos10.0/topics/reference/configuration-statement/mapping-bridging-ex-series.html TechDoc: "mapping"]
  
== QinQ / Stacked Tags ==
+
=== QinQ / Stacked Tags ===
 +
==== External Documentation ====
 
* [http://www.juniper.net/techpubs/en_US/junos10.0/topics/concept/qinq-tunneling-ex-series.html TechDoc: Understanding Q-in-Q Tunneling on EX Series Switches]
 
* [http://www.juniper.net/techpubs/en_US/junos10.0/topics/concept/qinq-tunneling-ex-series.html TechDoc: Understanding Q-in-Q Tunneling on EX Series Switches]
 +
* [http://www.juniper.net/techpubs/en_US/junos10.0/topics/example/qinq-tunneling-ex-series.html TechDoc: Example: Setting Up Q-in-Q Tunneling on EX Series Switches]
 +
* [http://www.juniper.net/techpubs/en_US/junos10.0/topics/task/configuration/qinq-tunneling-ex-series-cli.html TechDoc: Configuring Q-in-Q Tunneling (CLI Procedure)]
 +
* [http://www.juniper.net/techpubs/en_US/junos10.0/topics/task/verification/qinq-tunneling-status-ex-series.html TechDoc: Verifying That Q-in-Q Tunneling Is Working]
 +
 +
== MPLS ==
 +
=== Generic Info ===
 +
* [http://www.juniper.net/techpubs/en_US/junos10.1/information-products/pathway-pages/config-guide-mpls-applications/config-guide-mpls-applications.html MPLS Applications Configuration Guide]
 +
* [http://www.juniper.ie/techpubs/en_US/junos10.1/topics/concept/mpls-ex-series-overview.html TechDoc: JUNOS MPLS for EX-series Switches Overview]
 +
* [http://www.juniper.ie/techpubs/en_US/junos10.1/topics/concept/mpls-ex-series-components.html TechDoc: Understanding JUNOS MPLS Components for EX-series Switches]
 +
* [http://www.juniper.ie/techpubs/en_US/junos10.1/topics/example/mpls-ex-series-configuring.html TechDoc: Example: Configuring MPLS on EX-series Switches]
 +
 +
=== Path Protection ===
 +
* [http://www.juniper.ie/techpubs/en_US/junos10.1/topics/concept/mpls-ex-series-path-protection-understanding.html TechDoc: Understanding MPLS and Path Protection on EX-series Switches]
 +
* [http://www.juniper.ie/techpubs/en_US/junos10.1/topics/task/configuration/mpls-ex-series-path-protection-configuring-cli.html TechDoc: Configuring Path Protection in an MPLS Network (CLI Procedure)]
 +
 +
== Network Topology ==
 +
=== Rings ===
 +
==== External Documentation ====
 +
* [http://www.juniper.net/us/en/local/pdf/implementation-guides/8010045-en.pdf Implementation Guide: MX/EX ethernet ring]
 +
* [http://www.juniper.net/techpubs/software/junos/junos94/swconfig-network-interfaces/ethernet-ring-protection-switching-configuration-example.html TechDoc: Ethernet Ring Protection Switching Configuration Example]
 +
* [http://www.juniper.net/techpubs/en_US/junos/topics/concept/layer-2-ethernet-oam-ring-protection-overview-mx-solutions.html TechDoc: Ethernet Ring Protection]
 +
 +
= Class of Service =
 +
== Class of service for Juniper ==
 +
* [[Class of Service on MX Routers]]
 +
* [[Class of Service for EX Switches]]

Latest revision as of 12:28, 5 November 2024

MX Routers

Redundancy, Graceful Switchover, Graceful Restart, NSR, etc

General HA

VRRP

In Service Software Upgrades (ISSU)

Non-Stop Routing

Graceful Restart

Misc Notes

Isolating a customer to one provider

  • Use rib-group import-policy with a separate routing instance: see here
  • To inject only a default route into the routing instance (x.x.x.x is provider):
  set routing-instance [name] routing-options static route 0/0 next-hop x.x.x.x

Another way:

  • instance-type of virtual-router, use instance-import knob to reference a policy-statement

Config example:

interfaces {
    vlan {
        unit 100 {
            family inet {
                filter {
                    input classify-vlans;
                }
                address 192.168.1.15/24;
            }
        }
        unit 200 {                      
            family inet {
                filter {
                    input classify-vlans;
                }
                address 192.168.2.15/24;
            }
        }
    }
}
policy-options {
    policy-statement accept-from-inet.0 {
        term 1 {
            then accept;
        }
    }
}
firewall {
    family inet {
        filter classify-vlans {
            term route-to-isp1 {
                from {
                    source-address {
                        192.168.1.0/24;
                    }
                }
                then {
                    routing-instance isp1;
                }
            }
            term route-to-isp2 {
                from {
                    source-address {
                        192.168.2.0/24;
                    }
                }
                then {
                    routing-instance isp2;
                }
            }
            term default {
                then accept;
            }
        }
    }
}
routing-instances {
    isp1 {
        instance-type virtual-router;
        interface vlan.100;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 10.0.0.1;
            }
            instance-import accept-from-inet.0;
        }                               
    }                                   
    isp2 {                              
        instance-type virtual-router;   
        interface vlan.200;             
        routing-options {               
            static {                    
                route 0.0.0.0/0 next-hop 10.0.0.5;
            }                           
            instance-import accept-from-inet.0;
        }                               
    }                                   
}

EX Switches

Generic Info

Config Snippets

Disabling Flow Control

Flow control is enabled by default on all ports on at least EX3200, EX4200, and EX8216. To disable:

 [edit interfaces]
 +   interface-range flow-control {
 +       member-range ge-0/0/0 to ge-2/0/23;
 +       ether-options {
 +           no-flow-control;
 +       }
 +   }

Helpful shell commands

ifmon

Time-elapsing interface counters: i/o bytes, i/o packets, errors, etc.
Pass the interface name when calling the command.

Usage: ifmon [-v] [-JL <lrname>] [interface]

What do the other flags do..?

iftop

Time-elapsing overview of interface counters: for all interfaces
Gives each port's rate in pps or bps, etc.

Usage: iftop [-v] [-d]

  • -v : shows version
  • -d : same as running without arguments, but adds interface descriptions

mtr

Yes.. Juniper actually includes mtr: pass it a hostname, watch a time-lapse
traceroute occur. Lookup the details online; widely available tool.

tcpdump

Juniper includes a modified version of tcpdump; again, look it up elsewhere.

Semi-hidden debug interfaces

lcdd: Line Card Daemon

"lcdd" from a shell (not the cli) connects you to various other parts of the switch,
including the software forwarding infrastructure (sfid), chassis manager (chassism),
and the virtual chassis system (vccpd). You don't need to be root to get into these.
The general idea is:

 > lcdd 0 <area>

Where area is one of the above/below items. The digit (0) is the FPC slot number. EX switches only have FPC0.

sfid: Software Forwarding Infrastructure

chassism: Chassis Manager

vccpd: Virtual Chassis'

vty: Shell out to other parts of the system

"vty fpc0": connect to PFE


root@3200-24t:RE:0% vty fpc0


BSD platform (MPC 8544 processor, 48MB memory, 0KB flash)

PFEM0(vty)# show version

Juniper Embedded Microkernel Version 10.1R1.8
Built by builder on 2010-02-12 17:42:57 UTC
Copyright (C) 1998-2010, Juniper Networks, Inc.
All rights reserved.


BSD platform (MPC 8544 processor, 48MB memory, 0KB flash)
Current time   : Fri Nov 19 14:36:37 2010

Elapsed time   :      15+01:46:39

Security

To disable physical LCD menu: set chassis lcd fpc 0 maintenance-menu disable (repeat for each FPC)

Firewall / Packet Filtering

Generic Info

External Documentation

Archiving and Restore

Archiving

VLANs

Generic Info

External Documentation

Tag Swapping (VLAN Translation)

External Documentation

QinQ / Stacked Tags

External Documentation

MPLS

Generic Info

Path Protection

Network Topology

Rings

External Documentation

Class of Service

Class of service for Juniper