Post

Juniper Junos OS R&S commands

Vlans

In the pre-ELS (Enhanced Layer 2 Software) version of Junos OS, the default VLAN did not have a VLAN ID associated with it and was untagged.

1
2
show vlans
show vlans <VLAN_NAME> detail
1
2
3
4
5
edit vlans
set default vlan-id 1
set vlan10  vlan-id 10
set vlan20  vlan-id 20
set <VLAN_NAME> vlan-id <VLAN_ID>

Optional way to assign an interface to a VLAN

1
2
3
edit vlans <VLAN_NAME>

set interface <INTERFACE>

Interface Monitoring commands

Juniper commandCisco command
show interfaces descriptionsshow interfaces descriptions
show interfaces terseshow ip interface brief
show ethernet-switching interfacesshow interfaces switchport
show ethernet-switching interfacesshow interfaces trunk
show vlansshow vlans
show ethernet-switching tableshow mac address table

NOTE that on show interfaces descriptions - only interfaces with descriptions are displayed

1
2
3
4
show interfaces ge-0/0/x brief
show interfaces ge-0/0/x
show interfaces ge-0/0/x detail
show interfaces ge-0/0/x extensive

Log of recent changes in the MAC address table:

1
show ethernet-switching mac-learning-log | except 00:00:00:00:00:00

Layer 2 Access & Trunk ports

1
show ethernet-switching table

Access Ports

1
2
3
delete interfaces xe-0/0/x unit 0 family inet
set    interfaces xe-0/0/x unit 0 family ethernet-switching
set    interfaces xe-0/0/x unit 0 family ethernet-switching interface-mode access vlan members default

or

1
2
3
4
5
edit itnerfaces xe-0/0/x.0
delete family inet

edit family ethernet-switching
set interface-mode access vlan members <VLAN_NAME>

Trunk Ports

1
2
3
4
5
6
7
8
9
edit itnerfaces xe-0/0/x.0
delete family inet

edit family ethernet-switching
set interface-mode trunk vlan members [vlan10 vlan20]
or
set interface-mode trunk vlan members all  # To allow all the configured VLANs in the Trunk

set native-vlan-id <VLAN_ID>      (optional)

Voice VLAN

To assign a port to a “voice” vlan, additionally to assigning the port to a vlan, configure the following under switch-options hierarchy.

1
2
3
4
edit switch-options
edit voip interface (access-ports | ge-0/0/x.0)
set vlan (<VLAN_NAME> | <VLAN_ID>)
set forwarding-class assured-forwarding

Interface Range

Define a range of interfaces that share common configuration parameters.

1
2
3
4
edit interfaces
edit interface-range <RANGE-NAME>
set member-range ge-0/0/x to ge-0/0/z
set unit 0 family ethernet-switching

or

1
2
3
4
5
6
edit interfaces
edit interface-range <RANGE-NAME>
set member ge-0/0/x
set member ge-0/0/y
set member ge-0/0/z
set unit 0 family ethernet-switching

Spanning-Tree

802.1d STP 802.1w RSTP

1
2
3
4
show spanning-tree bridge
show spanning-tree interface
show spanning-tree statistics interface
show ethernet-switching interfaces

Activate RSTP on all interfaces

1
2
3
edit protocols rstp

set interface all

Activate the bpdu-block-on-edge feature which Shuts down ports configured as edge when receiving a STP BPDU.

1
2
3
4
edit protocols rstp
set bpdu-block-on-edge

set interface xe-0/0/x edge

To automatically re-enable the port that was shutdown by the bpdu-block-on-edge feature and having received a STP BPDU.

1
2
3
4
5
edit protocols
edit layer2-control bpdu-block

set interface xe-0/0/x
set disable-timeout 180

To manually do the same

1
clear error bpdu interface xe-0/0/x

To use legacy STP as opposed to RSTP

1
2
3
edit protocols rstp

set force-version stp

To disable RSTP on a single interface

1
2
3
4
edit protocols rstp
edit interface xe-0/0/x

set disable

Modify RSTP Bridge-Priority

1
2
3
4
5
6
7
edit protocols rstp

set bridge-priority 20k
or
set bridge-priority 16k
or
set bridge-priority 8k

Modify RSTP cost

1
2
3
4
edit protocols rstp
edit interface xe-0/0/x

set cost <COST>

Example:

1
2
3
4
5
6
7
8
edit protocols rstp

set bridge-priority 20k
set interface ge-0/0/x.0 disable
set interface ge-0/0/y.0 cost 1000
set interface ge-0/0/z.0 edge

set interface ge-0/0/y.0 mode point-to-point

MSTP

MSTP provides the same benefits as RSTP, but also provides standardized support to multiple VLANs with different topologies.

Group VLANs

1
2
3
4
set protocols mstp configuration-name example

set protocols mstp msti 1 vlan [1 3 5]  # Assign VLANs 1, 3, and 5 to instance 1
set protocols mstp msti 2 vlan [2 4 6]  # Assign VLANs 2, 4, and 6 to instance 2

BPDU Protection, Root Protection, and Loop Protection

BPDU Protection

Configured on Edge Ports to drop/block incoming BPDUs and blocks the interface.

To unblock the interface, run

1
clear error bpdu interface ge-0/0/x

or automatically unblock the port after certain time with:

1
2
edit protocols layer2-control
set bpdu-block disable-timeout <10..3600 SECONDS>

With STP enabled

1
show spanning-tree interface ge-0/0/x.0
1
2
3
edit protocols rstp
set interface ge-0/0/x.0 edge
set bpdu-block-on-edge

With STP disabled

1
show interfaces ge-0/0/x
1
2
edit protocols layer2-control
set bpdu-block interface ge-0/0/x.0

Root Protection

Enable Root Protection on ports that should not receive superior BPDUs from the root bridge and should not be elected as the root port. Commonly configured on Aggregation layer Switches torwards Access layer Switches.

1
show spanning-tree interface
1
2
edit protocols rstp
set interface ge-0/0/x.0 no-root-poort

Loop Protection

The loop protection feature provides additional protection against Layer 2 loops by preventing non-designated ports from becoming designated ports. Enable loop protection on all non-designated ports.

Ports that detect the loss of BPDUs transition to the loop inconsistent role, which maintains the blocking state. Port automatically transitions back to previous or new role when it receives a BPDU.

It is recommended when enabling loop protection, enable it on all switch interfaces that have a chance of becoming root or designated ports. It is most effective when it is enable don all switches within the network.

1
2
show spanning-tree interface
show log messages | match "loop|protect"
1
2
edit protocols rstp
set interface ge-0/0/x.0 bpdu-timeout-action block

NOTE: An interface can be configured for either loop protection or root protection but not both.

Rib-groups

  1. Define rib-group under the routing-options hierarchy level
1
2
3
4
edit routing-options rib-groups <RIB-GROUP-NAME>

set import-rib <ROUTING-TABLE-NAME1>
set import-rib <ROUTING-TABLE-NAME2>
  1. Apply the rib-group to routing protocols, interface routes, or both, as needed
1
2
3
edit protocols ospf

set rib-group <RIB-GROUP-NAME>
1
2
3
edit routing-options

set interface-routes rib-group <FAMILY> <RIB-GROUP-NAME>
1
2
3
edit routing-options

set static rib-group <RIB-GROUP-NAME>
  1. Create a routing-policy (optional)
1
2
3
4
5
edit policy-options policy-statement <POLICY-NAME> term <TERM_NAME>

set to rib <ROUTING-TABLE-NAME>
set from ...
set then ...
  1. Apply an import-policy to the rib-group (optional)

The import-policy controls which routes are installed in each routing table.

1
set routing-options rib-groups <RIB-GROUP-NAME> import-policy <POLICY-NAME>

Referece: Junos CLI Reference - rib-groups

1
2
3
4
5
6
7
8
9
[edit routing-options]

rib-groups {
    group-name {
        export-rib group-name;
        import-policy [ policy-names ];
        import-rib [ group-names ];
    }
}

Mac Limiting

Juniper TermCisco term
Mac LimitingPort Security
Persistent LearningSticky MAC
1
show ethernet-switching interface xe-0/0/x.0
1
2
3
4
5
6
edit switching-options
edit interface xe-0/0/x.0

set interface-mac-limit <NUMBER>
set interface-mac-limit packet-action drop
set persistent-learning

DHCP snooping, DAI (Dynamic ARP Inspection), IP Source Guard

1
2
show dhcp-security binding [ip-source-guard]
show dhcp-security arp inspection statistics

EX Switch

1
2
3
4
5
6
7
8
9
10
11
12
edit ethernet-switching-options

edit secure-access-port interface xe-0/0/x
set dhcp-trusted

edit secure-access-port interface xe-0/0/y
set no-dhcp-trusted

edit vlan default
set examine-dhcp
set arp-inspection
set ip-source-guard

QFX Switch

1
2
3
4
5
6
7
8
edit vlans default forwarding-options dhcp-security 
set arp-instapection
set ip-source-guard

set group TRUSTED overrides trusted
set group TRUSTED interface xe-0/0/x.0

set group STATIC-binding interface xe-0/0/x.0 static-ip <IP_ADDRESS> mac <MAC_ADDRESS>

LAGs - LACP - Aggregated Ethernet

802.3as standard. Link aggregation combines multiple Ethernet interfaces into a single link layer interface, also known as a Link Aggregation Group (LAG) or bundle.

  • Full duplex and link speed must match
  • Up to 16 member links per LAG
  • Member links do not need to be contiguous ports, nor must they be on the same switch when part of a Virtual Chassis

LACP exchanges are made between actors and partners:

  • Actor: Local interface
  • Partner: Remote interface

LACP exchanges protocol data units (PDUs) across all member links to ensure that each physical interface is configured and is functioning properly.

1
2
3
4
show lacp interfaces
show lacp statistics interfaces
show interfaces terse | match ae
show interfaces extensive ae0.0 | find "LACP Statistics:"
  1. Create aggregated Ethernet interfaces
1
set chassis aggregated-devices ethernet device-count <NUMBER_OF_aeX_INTERFACES>
  1. Configure the aggregated Ethernet interface and associate desire dmember links with the LAG
1
2
3
4
5
6
set interfaces ae0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members all
set interfaces ae0 aggregated-ether-options lacp active

set interfaces ge-0/0/x ether-options 802.3ad ae0
set interfaces ge-0/0/y ether-options 802.3ad ae0

Optional.

Set LACP exchange speed rate

1
2
edit interfaces ae0 aggregated-ether-options lacp
set periodic (fast|slow)

Configuring Routed VLAN interfaces

1
2
3
4
5
6
7
edit vlans
set example l3-interface vlan.100

top
edit interfaces vlan
set unit 100 description Example
set unit 100 family inet address 192.168.100.2/24

Firewall filters

Firewall filters are not stateful firewall rules, but stateless packet filters just like Cisco IOS ACLs.

Port-based and VLAN based filters use the family ethernet-switching option, while router-based filters use family inet or family inet6 depending on traffic type.

  • Input order: Rx Packet, Port Filter, VLAN Filter, Router Filter
  • Output order: Router Filter, VLAN Filter, Port Filter, Tx Packet

NOTE: A router-based filter that is applied to an integrated routing and bridging (IRB) does not apply to switched packets in the same VLAN.

1
show firewall

Junos OS

When a Firewall Filter is applied, the software discards (drops silently) all traffic not explicitly enabled.

  • [edit firewall family inet]: IPv4 filters for Layer 3 interfaces
  • [edit firewall family inet6]: IPv6 filters for Layer 3 interfaces
  • [edit firewall family ethernet-switching]: Filters for Layer 2 interfaces
1
2
3
4
5
edit firewall family inet

edit filter sample-filter
set term block-bad-subnet from source-address 192.168.0.0/24 then discard
set term access-all then accept

Applying the Firewall filter to an interface

1
set interfaces vlan.2 family inet filter input|output sample-filter

Applying the Firewall filter to an entire vlan

1
set vlans <VLAN_NAME> filter input|output sample-filter

Cisco IOS

1
2
access-list 100 deny ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip any any

MAC limiting

By default, interfaces have no defined limit on the number of MAC addresses they can learn.

  • VLAN can be configured to limit the number of times, a MAC address can move to a new interface within a period of time.
  • Interface can be configured to only learn a certain number of MAC addresses or to process traffic only from specific MAC addresses.

Use MAC limiting to protect the network by:

  • Limiting the number of MAC addresses learned on a port
  • Preventing MAC address spoofing by explicitly configured accepted MAC addresses for a port
  • Monitoring MAC address movement between the ports in a VLAN

MAC move limitng is enabled on a per-VLAN basis. For example, if MAC address moves more than the configured limit within one second, the switch performs the configured action.

When a MAC address or MAC move limit is exceeded, the switch can perform one of the following actions.

ActionDescription
noneDoes nothing
dropDrops the packet and generates an alarm, an SNMP trap, or a system log entry.
logDoes not drop the packet but generates a system log entry.
drop-and-logDrops the packet and generates an alarm, an SNMP trap, or a system log entry.
shutdownDisables the port, blocks data traffic, and generates a system log entry.

Use recovery-timeout # under family ethernet-switching interface hierarchy to recover the port automatically. Otherwise, manually clearing the disable port is required to recover it running clear ethernet-switching recovery-timeout.

Configuration example for Static Source MAC addresses

1
2
3
show ethernet-switching interface ge-0/0/x
show log messages | match l2ald
clear ethernet-switching recovery-timeout interface ge-0/0/x
1
2
set interfaces ge-0/0/x.0 accept-source-mac mac-address XX:XX:XX:XX:XX:XX
set interfaces ge-0/0/x.0 accept-source-mac mac-address YY:YY:YY:YY:YY:YY
1
2
set interfaces ge-0/0/x.0 interface-mac-limit 2
set interfaces ge-0/0/x.0 interface-mac-limit packet-action log|drop|shutdown|drop-and-log
1
set vlans <VLAN_NAME> switch-options mac-move-limit 1 packet-action shutdown

Persistent MAC Learning

Persistent MAC learning or “Sticky MAC” enables the retation of dynamically learned MAC addresses on a port even after the switch is reloaded or the port is bounced.

User the clear ethernet-switching table persistent-learning to clear the persistent MAC address entry from the interface.

If the original port is down when moving the device, then the new port learns the MAC address and the device can connect. But if the original port comes up the original entry is re-installed and the devices now in the new port looses connectivity.

1
show ethernet-switching table
1
set switch-options interface ge-0/0/x.0 persistent-learning

MACsec

Terms:

  • CKN - Connecitivty Association Key Name
  • CAK - Connecitivty Association Key
  • MKA - MACsec Key Agreement
  • SAK - Secure Association Key

Configuring static Connectivity Association Key (CAK) security mode:

  1. Create connectivity association:
1
set security macsec connecitivty-association <CA_NAME>
  1. Configure the MACsec mode as static CAK:
1
set security macsec connecitivty-association <CA_NAME> security-mode static-cak
  1. Configure the preshared key with the Connecitivty Associate Key Name (CKN) and CAK:
1
2
set security macsec connecitivty-association <CA_NAME> pre-shared-key ckn <HEXADECIMAL_NUMBER>
set security macsec connecitivty-association <CA_NAME> pre-shared-key cak <HEXADECIMAL_NUMBER>
  1. Associate interfaces with the connecitvity association:
1
set security macsec interfaces <INTERFACE_NAME> connectivity-association <CA_NAME>

Example:

1
2
3
4
5
6
edit security macsec
set connectivity-association ca1
set connectivity-association ca1 security-mode static-cak
set connectivity-association ca1 pre-shared-key ckn <HEXADECIMAL_NUMBER>
set connectivity-association ca1 pre-shared-key cak <HEXADECIMAL_NUMBER>
set interfaces xe-0/1/0 connectivity-association ca1
1
2
show security macsec connections
show security mka statistics

DHCP snooping

Attackers can exploit DHCP by setting up a rogue DHCP server, effectively launching a denial of service (DoS) attack. DHCP snooping inspects all DHCP packets on untrusted ports.

  • By default, Junos OS detects access ports as untrusted and trunk ports as trusted
  • DHCP Servers should be behind trusted ports

DHCP snooping supports DHCP option 82, aka the DHCP relay agent information option.

EX Series switch implementation of option 82 contains three sub-options:

  • circuit-id - Identifies the circuit (interface, VLAN or both) on the switch on which the request was received. Example: ge-0/0/10:vlan1 or ge-0/0/10
  • remote-id - Identifies the host. By default, it is the MAC address of the Switch but it could be the hostname of the Switch, the interface description, or a character string of your choice.
  • vendor-id - Identifies the vendor of the host. If enabled but not specified the value Juniper is used.

The DHCP Server must be configured to accept Option 82 if enabled on Network devices.

1
2
3
4
5
6
show dhcp-security binding

clear dhcp-security binding
clear dhcp-security binding vlan <VLAN_ID>
clear dhcp-security binding interface <INTERFACE_NAME>
clear dhcp-security binding ip-address <IP_ADDRESS>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Enabling dhcp security features under forwarding-options automatically turns on DHCP snooping
set vlans <VLAN_NAME> forwarding-options dhcp-security

# Overrides default behavior and enables specified access interface to receive DHCP server traffic (DHCPOFFER, DHCPACK, DHCPNAK). Default setting to Trunk ports.
# DHCP Servers should be behind trusted ports
set vlans <VLAN_NAME> forwarding-options dhcp-security group trusted-1 overrides trusted
set vlans <VLAN_NAME> forwarding-options dhcp-security group trusted-1 interface ge-0/0/x.0

# Access ports are untrusted by default anyway...
set vlans <VLAN_NAME> forwarding-options dhcp-security group untrusted interface ge-0/0/y.0
set vlans <VLAN_NAME> forwarding-options dhcp-security group untrusted interface ge-0/0/z.0

# Optional. Add Static Entries for hosts with ARP disabled
set vlans <VLAN_NAME> forwarding-options dhcp-security group untrusted interface ge-0/0/z.0 static-ip X.X.X.X mac XX:XX:XX:XX:XX:XX

Keep the DHCP Snooping database persistent across reboots

1
2
3
edit system processes
set dhcp-service dhcp-snooping-file /var/tmp/dhcp-snooping-database
set dhcp-service dhcp-snooping-file write-interval 60
1
2
file show /var/tmp/dhcp-snooping-database
show dhcp-security binding statistics

Persistent Dynamic ARP Inspection (DAI)

DHCP snoooping must be enabled for DAI to work

Dynamic ARP Inspection (DAI) examines ARP requests and responses on the LAN. Each ARP packet received on an untrusted access port is validated against the DHCP snooping database. By validating each ARP packet received on untrusted access ports, DAI can prevent ARP spoofing. If the DHCP snooping database does not contain an IP address-to-MAC entry for the information within the ARP packet, DAI drops the ARP packet, preventing the propagation of invalid host address information. DAI also drops ARP packets when the IP address in the packet is invalid because DAI depends on the entries found within the DHCP snooping database. ARP packets bypass DAI on trusted ports.

1
2
3
4
show arp
show dhcp-security binding
show dhcp-security arp inspection statistics
show log messages | match DAI

DAI is enabled per VLAN and not on individual ports

DAI must set ports to Trusted on those ports which connects to Hosts configured with an Static IP address in order to accept ARP packets to pass

1
2
3
4
5
6
# Enable DAI
set vlans <VLAN_NAME> forwarding-options dhcp-security arp-inspection

# DAI must set ports to Trusted on those ports which connects to Hosts configured with an Static IP address in order to accept ARP packets to pass
set vlans <VLAN_NAME> forwarding-options dhcp-security group group-1 overrides trusted
set vlans <VLAN_NAME> forwarding-options dhcp-security group group-1 interface ge-0/0/x.0

ARP packets are sent to the Routing Engine (RE). To prevent CPU overloading, Junos OS retes limit these ARP packets hitting the RE.

IP Source Guard

IP Source Guard checks the source IP and MAC address in packets entering untrusted ports agains the DHCP snooping database. Packets failing this check are discarded.

IP Source Guard is enabled per VLAN and it check packets only on untrusted access interfaces and never on Trunk interfaces or trusted access interfaces.

IP Source Guard prevents IP spoofing attacks by:

  • Inspecting IP packets on untrusted ports and validating them against the DHCP snooping database
  • Check if the source MAC address of the IP packet matches a valid entry in the DHCP snooping database
  • If no IP-MAC entry in the database corresponds to the information in the IP packet, IP source guard drops the IP packet
1
2
show dhcp-security binding
show dhcp-security binding ip-source-guard
1
set vlans <VLAN_NAME> forwarding-options dhcp-security ip-source-guard

802.1X user authentication features is applied in one of the three modes:

  • Single supplicant: Works with IP source guard
  • Single-source supplicant: Does not work with IP source guard
  • Multiple supplicant: Does not work with IP source guard

Define a Static IP-MAC under dhcp-security for those hosts with Static IP address configured.

Graceful Routing Engine Switchover (GRES)

Enables system control to switch from the primary RE to the backup RE with minimal interruption to network communications by synchronizing the kernel tables and Packet Forwarding Engine (PFE) tables. This feature requires redundant REs or Virtual Chassis

GRES enables a Switch with redundant REs (or participating in a Virtual Chassis) to continue forwarding packets, even if one RE fails by enabling control of switch from the primary RE to the backup RE with minimal interruption to network communications.

GRES preserves Interface and Kernel information and ensures that traffic forwarding is not interrupted during a primary role change. GRES does not, however, preserve Control Plane information which means the Routing Protocols Process (rpd) must restart. In such case, the information learned through rpd must be relearned unless Nonstop Active Routing (NSR) is also configured.

Without GRES, a failure on the primary RE or a manual switchover to the backup RE, causes a Packet Forwarding Engine (PFE) restart and all interfaces are discovered by the new primary RE.

With GRES enabled, the PFE is NOT restarted and all interface and kernet information is preserved.

1
2
3
show chassis routing-engine
show system switchover  # Only on Backup RE
commit synchronize
  • Enable GRES
1
set chassis redundancy graceful-switchover

Manual Switchover:

1
2
request chassis routing-engine master switch
request chassis routing-engine master ?

Nonstop Acting Routing (NSR)

Provides high availability in a Switch with redundant REs or on a Virtual Chassis by enabling transparent switchover of the REs without requiring a restart of supporting routing protocols by synchronizing the Routing Protocol Process (rpd) and routing information.

NSR allows switchover of the REs (or in Virtual Chassis) without alerting peering devices. On top of synchronizing configuration, interface and Kernel information (GRES), NSR also synchronizes Routing Protocol information by running the Routing Protocol Process (rpd) on the backup RE.

1
show task replication

Alternatively, issue operational show commands such as show ospf neighbor, show bgp summary, show route on the backup RE to verify the state information was successfully replicated.

  • Enable NSR

NOTE: NSR requires GRES to be configured.

1
2
3
set chassis redundancy graceful-switchover  # Enable GRES first
set routing-options nonstop-routing
commit synchronize

NOTE: commit synchronize can become the default behavior once we configure it with set system commit synchronize

Nonstop Briding (NSB)

Provides high availability in a Switch with redundant REs or on a Virtual Chassis by enabling transparent switchover of the REs by enabling transparent switchover of the REs without requiring a restart of supported L2 protocols by synchronizing the RE process and switching information.

NSB allows switchover of the REs (or in Virtual Chassis) without alerting peering devices. NSB also saves supported Layer 2 (L2) information by running the l2cpd process on the backup RE.

NSB does the same for L2 protocols that NSR does for L3 Routing Protocols.

Enable NSB

NOTE: NSB requires GRES to be configured.

1
2
3
set chassis redundancy graceful-switchover  # Enable GRES first
set protocols layer2-control nonstop-bridging
commit synchronize

NOTE: commit synchronize can become the default behavior once we configure it with set system commit synchronize

If NSB is enabled, the backup RE will show some information in the output of show spanning-tree bridge, otherwise it would show that the l2cpd-service subsystem is NOT running.

Unified ISSU - Unified In-Service Software Upgrade

Requires:

  1. Have GRES and NSR enabled
  2. Both RE running same Junos OS release
  3. Have the new Juons OS release downloaded to both RE
  4. Execute the command request system software in-service-upgrade
1
show chassis in-service-upgrade

Virtual Chassis

Renumber the member-id of a Switch member of a Virtual Chassis

1
request virtual-chassis renumber member-id 0 new-member-id 5

Shutdown a specific member of a Virtual Chassis.

1
request system halt member <MEMBER-ID>

Access individual member of a Virtual Chassis.

1
request session number <MEMBER-ID>

Upgrade Switches part of a Virtual Chassis.

1
2
3
4
5
# All switches
request system software add

# Specific Swich
request system software add member <MEMBER-ID>

Auto Software Update for new members of the Virtual Chassis

1
set virtual-chassis auto-sw-update package-name /var/tmp/jinstall-ex-4300-21.3R1.9-signed.tgz

Enabling Virtual Chassis Ports

1
2
3
request virtual-chassis vc-port set pic-slot 1 port 0
request virtual-chassis vc-port set pic-slot 1 port 1
show virtual-chassis vc-port

Disabling and Deleting Virtual Chassis Ports

1
2
3
request virtual-chassis vc-port set interface vcp-255/1/0 disable
request virtual-chassis vc-port delete pic-slot 1 port 0
show virtual-chassis vc-port

Example of Virtual Chassis configuration

1
2
3
4
5
6
7
8
9
10
edit virtual-chassis
set preprovisioned
set member 0 role routing-engine
set member 0 serial-number XX0123456789
set member 1 role line-card
set member 1 serial-number XX0987654321
set member 2 role routing-engine
set member 2 serial-number XX1234123412
set member 3 role line-card
set member 3 serial-number XX9128387465

Commands to monitor Virtual Chassis

1
2
3
show configuration virtual-chassis
show virtual-chassis status
show virtual-chassis vc-port

Failover between Switches acting as Routing-Engines in Virtual-Chassis

1
request chassis routing-engine master switch

Another example of configuring Virtual-Chassis

EX1

1
2
3
4
5
6
7
8
edit virtual-chassis
set member 0 mastership-priority 255
set no-split-detection

request virtual-chassis vc-port set interface vcp-255/1/0
request virtual-chassis vc-port set interface vcp-255/1/1

request virtual-chassis vc-port set interface vcp-255/1/1 member 1

EX2

1
request virtual-chassis vc-port set interface vcp-255/1/0

To return to standalone mode:

EX1

1
2
3
4
5
6
7
8
9
request virtual-chassis vc-port delete pic-slot 1 port 0
request virtual-chassis vc-port delete pic-slot 1 port 0 member 1

request virtual-chassis vc-port delete pic-slot 1 port 1
request virtual-chassis vc-port delete pic-slot 1 port 1 member 1

request virtual-chassis recycle member-id 0
request virtual-chassis renumber member-id 1 new-member-id 0
request virtual-chasiss recycle member-id 1

MSTP

1
2
3
show spanning-tree mstp configuration
show spanning-tree interface
show spanning-tree bridge
1
2
3
4
5
6
7
8
9
10
11
12
edit protocols mstp
set configuration-name <CONFIGURATION_NAME>  # Optional but must match on all Swithches part of the MSTP region. Default to blank.
set revision-level <REVISION_LEVEL>          # Optional but must match on all Swithches part of the MSTP region. Default to zero (0).

set interface <INTERFACE_NAME>  # Interfaces participating in MSTP

# VLANS not part of any MSTI are assigned to MSTI 0 (CST)
set msti <MSTI_ID> bridge-priority <PRIORITY>
set msti <MSTI_ID> vlan <VLAN_ID>|<VLAN_NAME>

set msti <MSTI_ID> bridge-priority <PRIORITY>
set msti <MSTI_ID> vlan <VLAN_ID>|<VLAN_NAME>

Non-ELS vs ELS

ethernet-switching-options vs switch-options

  • Non-ELS use edit ethernet-switching-options hierarchy for Layer 2 feature configurations.
  • ELS uses edit switch-options instead.

RVI interfaces vs IRB interfaces

These are uses for Layer 3, similar to Cisco SVIs.

  • Non-ELS uses RVIs (Routed Vlan Interfaces)
1
2
3
4
5
6
set interfaces vlan.11 family inet address 172.23.11.10/24
set interfaces vlan.12 family inet address 172.23.12.10/24
set vlans <VLAN11> vlan-id 11
set vlans <VLAN11> l3-interface vlan.11
set vlans <VLAN12> vlan-id 12
set vlans <VLAN12> l3-interface vlan.12
  • ELS uses IRB (Internet Routing and Bridging)
1
2
3
4
5
6
set interfaces irb.11 family inet address 172.23.11.10/24
set interfaces irb.12 family inet address 172.23.12.10/24
set vlans <VLAN11> vlan-id 11
set vlans <VLAN11> l3-interface irb.11
set vlans <VLAN12> vlan-id 12
set vlans <VLAN12> l3-interface irb.12

Routing

1
2
3
4
5
show route hidden
show route <NETWORK>
show route <NETWORK> exact
show route <NETWORK> exact detail
show route <NETWORK> exact extensive
Junos OSCisco IOS
show routeshow ip route
show bgp summaryshow ip bgp summary
show bgp neighborshow ip bgp neighbor
show ospf …show ip ospf
Junos OSCisco IOS
Route PreferenceAdministrative Distance
Same Route Preference for IBGP and EBGP by defaultIBGP has higher Administrative Distance than EBGP routes

Route Preference Values

SourceDefault Preference
Direct0
Local0
Static5
OSPF internal10
RIP100
Aggregate130
OSPF AS external150
BGP (both EBGP and IBGP)170

Static Routes

1
set routing-options static route 192.168.7.0/24 next-hop 192.168.2.1

Configure Static Route to Null0

  • reject device will reply with an ICMP Network Unreachable back to the source
  • discard will drop the packet silently
1
2
3
set routing-options static route 192.168.7.0/24 reject
set routing-options static route 192.168.8.0/24 discard

1
2
3
4
edit routing-options

set static route 10.11.0.0/24 next-hop 192.168.3.1
set static route default next-hop 192.168.1.1

Multiple next-hops - Qualified Next Hop

Qualified Next Hop in Juniper is the equivalent to Floating Static Route in Cisco. It is about configuring a 2nd Static Route to the same destination with a less preferred Route Preference.

1
2
3
4
5
edit routing-options
edit static route 10.12.0.0/24

set qualified-next-hop 192.168.2.15 preference 15
set qualified-next-hop 192.168.3.15 preference 30

Recursive static route

Requires the parameter resolve for next-hop not in the Routing Table as direct

1
set routing-options static route 3.3.3.3/32 next-hop 192.168.1.32 resolve

No-readvertise option

Restricts route from being advertised through routing policy; highly suggested for static routes used for management traffic.

1
2
set routing-options static route 172.28.102.0/24 next-hop 10.210.11.190
set routing-options static route 172.28.102.0/24 no-readvertise

More Static Route options

OptionsDescription
as-pathUsed if the route is intended to be redistributed into BGP and you want to add values manually to the AS path attribute.
communityUsed if this route is intended for BGP, and you want to add community values to the route for your AS.
metricIf multiple routes share the same preference value, then the route with the best metric becomes active in the routing table. Use this value to prefer one route over another in this case.
preferenceUsed to increase the value of the static routes to prefer other sources of routing information.

Aggregate Static Routes

1
2
show route protocol aggregate
show route 172.29.0.0/22 exact detail
1
2
3
edit routing-options
set aggregate route 172.29.0.0/22
set aggregate route 172.25.0.0/16 discard

Generated Static Route

Similar to the Aggregate Static Route. The difference is that the next-hop is the one from the “primary contributing route”. The primary contributing route is the route with the lowest Preference that falls with the aggregated range of prefixes. If there are multiple routes that fall within the aggregated range that share the same route preference, the route with the lowest number prefix (not lowest prefix range) is selected as the primary contributing route.

1
2
edit routing-options
set generate route 10.0.0.0/16

Example of Conditional Route Advertisemente

OSPF to advertise default route 0.0.0.0/0 only if we have received 10.0.0.0/16 via BGP (and is installed in the Routing Table)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
edit policy-options
set policy-statement MATCH_CONTRIBUTING_PREFIX term MATCH_BGP_PREFIX from protocol bgp
set policy-statement MATCH_CONTRIBUTING_PREFIX term MATCH_BGP_PREFIX from route-filter 10.0.0.0/16 exact
set policy-statement MATCH_CONTRIBUTING_PREFIX term MATCH_BGP_PREFIX then accept
set policy-statement MATCH_CONTRIBUTING_PREFIX term ELSE-REJECT then reject

set policy-statement EXPORT_DEFAULT term MATCH_DEFAULT from protocol aggregate
set policy-statement EXPORT_DEFAULT term MATCH_DEFAULT from route-filter 0.0.0.0/0 exact
set policy-statement EXPORT_DEFAULT term MATCH_DEFAULT then accept

top
edit routing-options
set generate route 0.0.0.0/0 policy MATCH_CONTRIBUTING_PREFIX

top
edit protocols ospf
set export EXPORT_DEFAULT

Martian addresses

Hosts or network addresses for which all routing information (also known as routing table) is ignored. Martian addresses are never installed in the routign table (also known as routing information base [RIB])

Default Martian Addresses for IPv4 and IPv6

IPv4IPv6
0.0.0.0/8 orlongerLoopback address
127.0.0.0/8 orlongerReserved and unassigned prefixes from RFC 2373
192.0.0.0/24 orlongerLink-local unicast prefix
240.0.0.0/4 orlonger 

Match types: exact, longer, orlonger, prefix-length-range, through and upto

1
show route martians
1
2
3
4
5
6
7
edit routing-options
set martians 23.0.0.0/8 orlonger
set martians 31.0.0.0/8 orlonger
set martians 36.0.0.0/8 orlonger

# To remove and IP address block from the Martian address list use the allow command
set martians 240.0.0.0/4 orlonger allow

Routing instances

1
2
3
4
5
6
show route instance

show interfaces terse routing-instance <INSTANCE_NAME>
show route table <INSTANCE_NAME>

ping X.X.X.X routing-instance <INSTANCE_NAME>

Configure:

1
2
3
4
5
6
7
8
9
edit routing-instances <INSTANCE_NAME>
set instance-type virtual-router
set interface ge-0/0/x.0
set interface ge-0/0/y.0
set interface lo0.x
set routing-options static route 0.0.0.0/0 next-hop 172.26.25.1
set protocols ospf area 0.0.0.0 interface ge-0/0/x.0
set protocols ospf area 0.0.0.0 interface ge-0/0/y.0
set protocols ospf area 0.0.0.0 interface lo0.x

OSPF

1
2
3
4
5
6
7
show ospf statistics
show ospf database
show ospf interface [extensive]
show ospf neighbor [extensive]
show ospf route
show ospf log
show route protocol ospf
1
2
3
4
5
6
7
set routing-options router-id <X.X.X.X>

set protocols ospf area <AREA-ID> <AREA-OPTIONS>
set protocols ospf area <AREA-ID> interface <INTERFACE-NAME> <INTERFACE-OPTIONS>

set protocols ospf3 area <AREA-ID> <AREA-OPTIONS>
set protocols ospf3 area <AREA-ID> interface <INTERFACE-NAME> <INTERFACE-OPTIONS>

Another example:

1
2
3
4
5
6
7
8
9
10
11
12
edit protocols ospf

set area 2 interface vlan.5
set area 2 interface ge-0/0/4.0
set area 2 interface ge-0/0/4.0 passive
set area 2 interface vlan.5 metric 200

set area 2 stub
set area 3 nssa

set area 2 stub default-metric 1
set area 3 deafult-lsa default-metric 1

NOTE: Loopback interfaces are set to passive implicitly in OSPF by Junos OS

Redistribute from Static Routes to OSPF

1
2
3
4
5
6
7
8
9
10
11
12
edit policy-options
edit policy-statement static-to-ospf
edit term match-internal-static

set from protocols static
set from route-filter 192.168.0.0/16 orlonger;
set then metric 100
set then external type 2
set then accept

edit protocols ospf
set export static-to-ospf

OSPF authentication

1
2
edit protocols ospf area 0.0.0.2
set interface vlan5 authentication md5 1 key <SUPER_SECRET_KEY>

OSPF interface type

1
2
edit protocols ospf area 0
set interface all interface-type p2p

Set Router-ID

1
2
edit routing-options
set router-id 10.10.10.10

Debug OSPF

1
2
3
4
set protocols ospf traceoptions file ospf-trace
set protocols ospf traceoptions flag error detail
set protocols ospf traceoptions flag event detail
show log ospf-trace

Use show log <FILENAME> or monitor start to see the “trace” information.

Summarize in OSPF

1
2
3
4
5
edit protocols ospf
edit area <X>
set area-range 192.168.0.0/21
or
set nssa area-range 192.168.0.0/21 [restrict]

Storm Control

Storm control monitors traffic levels and drops traffic when the threshold (storm control level) is exceeded. Prevents traffic from proliferating and degrading the LAN. The storm control feature ensures that traffic storms do not degrade LAN performance.

When the storm control level is exceeded, the switch can either:

  • Drop offending traffic (default) or
  • Shut down the interface through which the traffic is passing.

Using the default configuration, all broadcast, multicast, and unknown unicast (BUM) traffic that exceed 80 percent is dropped.

1
2
3
show interfaces xe-0/0/x extensive
show ethernet-switching interface xe-0/0/x
show log messages | match l2ald | match xe-0/0/x

When action-shutdown is configured, this commands manually recovers the port.

1
clear ethernet-switching recovery-timeout

Example 1:

1
2
3
4
5
edit forwarding-options
set storm-control-profiles drop-at-1G-profile all bandwidth-level 1000000

top
set interfaces xe-0/0/x.0 family ethernet-switching storm-control drop-at-1G-profile

Example 2:

1
2
3
4
5
6
7
8
edit forwarding-options
set storm-control-profiles my-profile all bandwidth-level 5000
set storm-control-profiles my-profile action-shutdown

top
set interfaces xe-0/0/x.0 family ethernet-switching storm-control my-profile
set interfaces xe-0/0/x.0 family ethernet-switching recovery-timeout 3600

RTG - Redundant Trunk Group

RTGs are used as an alternative to STP on trunk ports in redundant enterprise networks. RTG is typically only configured on access switches. RTG and STP are mutually exclusive on a given port.

1
show redundant-trunk-group
1
2
3
edit switch-options redundant-trunk-group
set group <RTG_NAME> interface xe-0/0/x.0 primary
set group <RTG_NAME> interface xe-0/0/y.0

Optional.

1
set group <RTG_NAME> preempt-cutover-timer 30  # this is in seconds

Graceful Routing Engine Switchover (GRES)

Minimize downtime during Routing Engine Transitions. GRES often works in conjunction with NSR (Non-Stop Routing) to maintain uninterrupted control plane operation during a switchover event.

1
2
show system switchover
show chassis routing-engine
1
2
3
4
set virtual-chassis member 0 mastership-priority
set virtual-chassis member 1 mastership-priority

set chassis redundancy graceful-switchover

IRB Bridging

IRB interfaces are used to do inter-vlan Routing. They are the equivalent to Cisco SVIs.

IRBs must be associated with a VLAN and must have an operational L2 interface participating in that VLAN before they become operational.

All EX-Series switches running ELS (Enhanced Layer 2 Software) support IRBs as well as other Layer 3 routing operations.

1
2
3
4
5
6
7
8
9
10
set vlans blue vlan-id 10 l3-interface irb.10
set vlan green vlan-id 20 l3-interface irb.20

set interfaces irb.10 family inet address 192.168.10.1/24
set interfaces irb.20 family inet address 192.168.20.1.24

delete interfaces xe-0/0/x.0 family inet
delete interfaces xe-0/0/y.0 family inet
set interfaces xe-0/0/x.0 family ethernet-switching vlan members blue
set interfaces xe-0/0/y.0 family ethernet-switching vlan members green

Load Balancing

This is ECMP (Equal Cost Multi-Path)

  • Per packet (not recommended)
  • Per flow. This is the one we are configuring

IMPORTANT: Defining and applying a load-balancing policy affects only the forwarding table (show route forwarding-table). The routing table (show route) remains as it was before you defined and applied the load-balancing policy.

1
2
show route 1.1.1.1
show route forwarding-table | match 1.1.1.1   # Here is where we should the ECMP entry
1
2
3
4
5
6
edit policy-options policy-statement load-balance-loopback
set from route-filter 1.1.1.1/32 exact
set then load-balance per-packet   # this actually means "per flow"

top edit routing-options
set forwarding-table export load-balance-loopback

Another example, this time for all routes with ECMP entries in the Routig Table.

1
2
set policy-options policy-statement LOAD_BALANCE_ALL then load-balance per-packet
set routing-options forwarding-table export LOAD_BALANCE_ALL

By default, ECMP hash is based on Source IP, Destionation IP and L4 protocol. To include Layer 4 ports information in the ECMP forwarding hash. Note that layer-3 and layer-4 keywords must both be used in the configuration.

1
2
set forwarding-options hash-key family inet layer-3
set forwarding-options hash-key family inet layer-4

This also is optional for MPLS (set family mpls) and VPLS (set family multiservices). For IPv6, Junos OS already performs ECMP based on L3 & L4 information in the Forwarding Table by default.

Filter-Based Forwarding

This is like PBR (Policy-Based Routing) in Cisco IOS.

  1. Creating a match filter Defined under the [edit firewall] hierarchy. Matches traffic with respective routing instance. The defined filter is applied as an input filter to ingress interface.

Example:

1
2
3
4
5
6
7
set firewall family inet filter <FILTER_NAME> term <TERM_NAME_A> from <MATCH_CONDITIONS>
set firewall family inet filter <FILTER_NAME> term <TERM_NAME_A> then routing-instance <INSTANCE_NAME_A>

set firewall family inet filter <FILTER_NAME> term <TERM_NAME_B> from <MATCH_CONDITIONS>
set firewall family inet filter <FILTER_NAME> term <TERM_NAME_B> then routing-instance <INSTANCE_NAME_B>

set firewall family inet filter <FILTER_NAME> term <TERM_NAME_C> then accept
  1. Creating routing instances Defined under the [edit routing-instances] hierarchy. Creates unique routing tables to forward traffic towards destination along associated path. The instance includes routing information (typically a default static route) that is stored in the corresponding route table.
1
2
3
4
5
set routing-instances <INSTANCE_NAME_A> instance-type forwarding
set routing-instances <INSTANCE_NAME_A> routing-options static route 0.0.0.0/0 next-hop <NEXT_HOP_IP>

set routing-instances <INSTANCE_NAME_B> instance-type forwarding
set routing-instances <INSTANCE_NAME_B> routing-options static route 0.0.0.0/0 next-hop <NEXT_HOP_IP>
  1. Creating a RIB group Defined under the [edit routing-options] hierarchy. Shares interface routes between intances so that directly connected next hops can be resolved.

NOTE: You cannot associate any interface to a routing-instance of type forwarding. Therefore, RIB-Groups is required to redistribute the next-hop IP of the static routes to the routing-instances.

1
2
set routing-options rib-groups <GROUP_NAME> import-rib [ inet.0 <INSTANCE_NAME_A>.inet.0 <INSTANCE_NAME_B>.inet.0 ]
set routing-options interface-routes rib-group inet <GROUP_NAME>

Alternatively to RIB groups, use the instance-import option.

1
2
3
4
5
6
# the master keyword is used to refer to master routing instance to import routes from inet.0 into ISP-A.inet.0
set policy-options policy-statement <ISP-A-import> from instance master then accept

set routing-instances <INSTANCE_NAME_B> instance-type forwarding
set routing-instances <INSTANCE_NAME_B> routing-options static route 0.0.0.0/0 next-hop <NEXT_HOP_IP>
set routing-instances <INSTANCE_NAME_B> routing-options instance-import <ISP-A-import>

Another example:

1
2
3
4
show firewall family inet filter customer-servers
show route-instances
show route table ISP-A.inet.0
show route table ISP-B.inet.0

Step 1

1
2
3
4
5
6
7
8
edit firewall family inet filter customer-servers
set term match-serverA-subnet from source-address 12.1.1.0/24
set term match-serverA-subnet then routing-instance ISP-A
set term match-serverB-subnet from source-address 12.2.2.0/24
set term match-serverB-subnet then routing-instance ISP-B

edit interfaces ge-0/0/x.0 family inet
set filter input customer-servers

Step 2

1
2
3
4
5
edit routing-instances
set ISP-A instace-type forwarding
set ISP-A routing-options static route 0/0 next-hop 10.1.0.2
set ISP-B instace-type forwarding
set ISP-B routing-options static route 0/0 next-hop 10.1.0.6

Step 3

1
2
3
4
5
edit routing-options
set rib-group FBF-rib-group import-rib [inet.0 ISP-A.inet.0 ISP-B.inet.0]
set interface-routes rib-group inet FBF-rib-group

set rib-group FBF-rib-group import-policy <POLICY_NAME>  # optional

BGP

1
2
3
4
5
6
show bgp summary
show bgp neighbor <X.X.X.X>
show bgp group
show route protocol bgp [detail|extensive]
show route receive-protocol bgp <NEIGHBOR-ADDRESS>  # Before the effects of import-policy
show route advertising-protocol bgp <NEIGHBOR-ADDRESS>  # Before the effects of export-policy
1
2
3
4
5
6
7
8
9
edit routing-options
set autonomous-system <ASN>

top
edit protocols bgp
edit group <GROUP-NAME>
set type external
set neighbor <NEIGHBOR_IP>
set peer-as <PEER_ASN>

Another example:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
set routing-options router-id <X.X.X.X>
set routing-options autonomous-system <ASN>

set protocols bgp group <GROUP_NAME> type external
set protocols bgp group <GROUP_NAME> peer-as <ASN>
set protocols bgp group <GROUP_NAME> neighbor <X.X.X.X>

set protocols bgp group <GROUP_NAME> type internal
set protocols bgp group <GROUP_NAME> local-address <X.X.X.X>
set protocols bgp group <GROUP_NAME> neighbor <X.X.X.X>
set protocols bgp group <GROUP_NAME> export NEXT_HOP_SELF_POLICY  # Next-hop-self example
set protocols bgp group <GROUP_NAME> export ADVERTISE_AGGREGATE   # Advertise an aggregate route example

# Next-hop-self example
set policy-options policy-statement NEXT_HOP_SELF_POLICY then next-hop self

# Advertise an aggregate route example
set routing-options aggregate route 172.24.0.0/22
set policy-options policy-statement ADVERTISE_AGGREGATE term MATCH_AGGREGATE from protocol aggregate
set policy-options policy-statement ADVERTISE_AGGREGATE term MATCH_AGGREGATE from route-filter 172.24.0.0/22 exact
set policy-options policy-statement ADVERTISE_AGGREGATE term MATCH_AGGREGATE then accept

Redistribute connected into BGP

1
2
3
4
5
6
7
edit policy-options policy-statement BGP-connected
set term 1 from protocol direct
set term 1 then accept

top
edit protocols bgp group <GROUP-NAME>
set export BGP-connected

Tunneling

  • GRE adds 24 bytes of overhead to the packet.
  • GRE uses IP protocol 47.
  • GRE uses gr-x/y/z naming convention.
  • GRE configuration example
1
2
3
show interfaces gr-0/0/0 terse
show route X.X.X.X
show interfaces gr-0/0/0.0 detail | find "traffic statistics"
1
2
3
4
5
set interfaces gr-0/0/0.0 tunnel source <X.X.X.X>
set interfaces gr-0/0/0.0 tunnel destination <Y.Y.Y.Y>
set interfaces gr-0/0/0.0 family inet

set routing-options static route 192.168.2.0/24 next-hop gr-0/0/0.0
  • GRE keepalives configuration:
1
2
set protocols oam gre-tunnel interface gr-x/y/z.A keepalive-time 10
set protocols oam gre-tunnel interface gr-x/y/z.A hold-time 30
  • IP over IP (IP-IP) adds 20 bytes of overhead to the packet.
  • IP-IP can only tunnel IP traffic.
  • IP-IP uses ip-x/y/z naming convention.

Configure PMTUD (Path MTU Discovery)

1
set system internet-options gre-path-mtu-discovery|ipip-path-mtu-discovery

Graceful Restart

1
set routing-options graceful-restart

This command restarts the rpd process.

1
restart routing

BFD

1
show bfd session

Enabling BFD on OSPF

1
set protocols ospf area X interface ge-0/0/x.0 bfd-liveness-detection minimum-interval 300

Enabling BFD on BGP

1
set protocols bgp group <GROUP_NAME> neighbor <X.X.X.X> bfd-liveness-detection minimum-interval 300

VRRP - Virtual Router Redundancy Protocol

Industry standard defined in RFC 2338. Master & Backup Routers. VRRP cummunication uses multicast destionation IP address of 224.0.0.18 with TTL of 255 Hello interval is 1 second by default VRID and authentication must match for VRRP routers to sync with each other The Master Router replies to ARP requests with MAC 00:00:5E:00:01:VRID Default priority is 100. The VRRP Router with the highest priority get elected as the Master Router If the VRRP Router owns the VIP address, the priority must be set to 255

TermDescription
VRRP RouterAny router participating in VRRP, including the master and all backup routers
Master RouterVRRP router performing packet forwarding and responding to ARP requests
Backup RoutersVRRP router available to accept the role of the master router upon failure
Virtual RouterVirtual entity that functionas as default router on a LAN; consists of virtual router ID and IP address used as gateway address known as VIP address

VRRP States

VRRP StateDescription
InitializeRouter negotiates VRRP roles through startup events; no forwarding can be performed while in this state
MasterRouter assumes traffic forwarding responsibilities for the LAN and responds to ARP requests
BackupRouter monitors master VRRP router and is ready to assume forwarding responsibilities if failure occurs
TransitionRouter switches between master and backup states; no forwarding can be performed while in this state

Sample VRRP configuration

R1 - Master Router

1
set interface ge-0/0/x.0 family inet address 192.168.1.2/24 vrrp-group <X> virtual-address 192.168.1.1 priority 100

R2 - Backup Router

1
set interface ge-0/0/x.0 family inet address 192.168.1.3/24 vrrp-group <X> virtual-address 192.168.1.1 priority 90
Configuration OptionDescription
trackMonitors state of specified interface (typically a WAN interface) or route and reduces designated priority value of VRRP group if tracker interface or route is no longer available
accepts-dataEnables master router to respond to ICMP requests sent to VIP address-by default, master router does not respond
authentication-typeAuthenticates VRRP messages between VRRP routers (type and key must match on all VRRP routers in the same group)
authentication-key 
no-preemptDisables preemption to avoid unwanted mastership changes. Note: Preemption is enabled by default, which means the router with the highest priority always assumes the master role

Show commands

1
show vrrp summary

IPv6

1
2
3
4
show route table inet6
show route table inet6 protoco static
show ipv6 neighbors
show interface terse

IPv6 Static Route configuration example

1
2
set routing-options rib inet.6 static route ::/0 next-hop fec0:0:0:2003::2
set routing-options rib inet.6 static route ::/0 preference 250

OSPFv3 configuration example

1
2
set routing-options router-id 192.168.100.1
set protocols ospf3 area 0.0.0.0 interface ge-0/0/1.0
OSPFv2OSPFv3
show ospf neighborshow ospf3 neighbor
show ospf interfaceshow ospf3 interface
show ospf databaseshow ospf3 database
show ospf routeshow ospf3 route

IS-IS configuration example

1
2
3
show isis interface
show isis adjacency
show isis adjacency detail
1
2
3
4
5
6
7
8
set interfaces ge-0/0/1.0 family iso
set interfaces ge-0/0/1.0 family inet6 address fec0:0:0:2003::1/64

set interfaces lo0.0 family iso address 49.0002.1111.1111.1111.00
set interfaces lo0.0 family inet6 address fec0:0:0:1001::1/128

set protocols isis interface ge-0/0/1.0
set protocols isis interface lo0.0

BGP configuration example

1
show bgp summary
1
2
3
4
5
6
7
8
9
10
set routing-options router-id 192.168.100.1
set routing-options autonomous-system 64700

set protocols bgp group INT-64700 type internal
set protocols bgp group INT-64700 local-address fec0:0:0:1001:1
set protocols bgp group INT-64700 neighbor fec0:0:0:1002:1

set protocols bgp group EXT-65100 type external
set protocols bgp group EXT-65100 peer-as 65100
set protocols bgp group EXT-65100 neighbor fec0:0:0:2005:2

SRX IPv6 configuration

1
set security forwarding-options family inet6 mode packet-based

IS-IS

1
2
3
4
5
6
7
8
9
10
show isis interface
show isis database
show isis database extensive
show isis adjacency
show isis adjacency detail
show isis spf log
show isis statistics
show isis route
show route protocol isis
clear isis adjacency <>

By default, all interfaces are L1 & L2. We can disable either in the protocols isis configuration hierarcy.

1
2
set protocols isis interface ge-0/0/0.0 level 1 disable
set protocols isis interface ge-0/0/1.0 level 2 disable

We must include the family iso on all interfaces on which we want to run IS-IS and a network entity title on one of the router’s interfaces (usually lo0).

1
2
3
4
5
6
set interfaces ge-0/0/1.0 family iso

set interfaces lo0.0 family iso address 49.0002.1111.1111.1111.00

set protocols isis interface ge-0/0/1.0
set protocols isis interface lo0.0

To debug IS-IS, monitor the resulting ISIS_TRACE log file using monitor start <LOG_FILE_NAME> or the show log <LOG_FILE_NAME> commands.

1
2
3
4
set protocols isis traceoptions file ISIS_TRACE
set protocols isis traceoptions flag error detail
set protocols isis traceoptions flag hello detail
set protocols isis traceoptions flag lsp detail

References

This post is licensed under CC BY 4.0 by the author.