Vlans
In the pre-ELS (Enhanced Layer 2 Software) version of Junos OS, the default VLAN did not have a VLAN ID associated with it and was untagged.
1
2
| show vlans
show vlans <VLAN_NAME> detail
|
1
2
3
4
5
| edit vlans
set default vlan-id 1
set vlan10 vlan-id 10
set vlan20 vlan-id 20
set <VLAN_NAME> vlan-id <VLAN_ID>
|
Optional way to assign an interface to a VLAN
1
2
3
| edit vlans <VLAN_NAME>
set interface <INTERFACE>
|
Interface Monitoring commands
| Juniper command | Cisco command |
|---|
| show interfaces descriptions | show interfaces descriptions |
| show interfaces terse | show ip interface brief |
| show ethernet-switching interfaces | show interfaces switchport |
| show ethernet-switching interfaces | show interfaces trunk |
| show vlans | show vlans |
| show ethernet-switching table | show mac address table |
NOTE that on show interfaces descriptions - only interfaces with descriptions are displayed
1
2
3
4
| show interfaces ge-0/0/x brief
show interfaces ge-0/0/x
show interfaces ge-0/0/x detail
show interfaces ge-0/0/x extensive
|
Log of recent changes in the MAC address table:
1
| show ethernet-switching mac-learning-log | except 00:00:00:00:00:00
|
Layer 2 Access & Trunk ports
1
| show ethernet-switching table
|
Access Ports
1
2
3
| delete interfaces xe-0/0/x unit 0 family inet
set interfaces xe-0/0/x unit 0 family ethernet-switching
set interfaces xe-0/0/x unit 0 family ethernet-switching interface-mode access vlan members default
|
or
1
2
3
4
5
| edit itnerfaces xe-0/0/x.0
delete family inet
edit family ethernet-switching
set interface-mode access vlan members <VLAN_NAME>
|
Trunk Ports
1
2
3
4
5
6
7
8
9
| edit itnerfaces xe-0/0/x.0
delete family inet
edit family ethernet-switching
set interface-mode trunk vlan members [vlan10 vlan20]
or
set interface-mode trunk vlan members all # To allow all the configured VLANs in the Trunk
set native-vlan-id <VLAN_ID> (optional)
|
Voice VLAN
To assign a port to a “voice” vlan, additionally to assigning the port to a vlan, configure the following under switch-options hierarchy.
1
2
3
4
| edit switch-options
edit voip interface (access-ports | ge-0/0/x.0)
set vlan (<VLAN_NAME> | <VLAN_ID>)
set forwarding-class assured-forwarding
|
Interface Range
Define a range of interfaces that share common configuration parameters.
1
2
3
4
| edit interfaces
edit interface-range <RANGE-NAME>
set member-range ge-0/0/x to ge-0/0/z
set unit 0 family ethernet-switching
|
or
1
2
3
4
5
6
| edit interfaces
edit interface-range <RANGE-NAME>
set member ge-0/0/x
set member ge-0/0/y
set member ge-0/0/z
set unit 0 family ethernet-switching
|
Spanning-Tree
802.1d STP 802.1w RSTP
1
2
3
4
| show spanning-tree bridge
show spanning-tree interface
show spanning-tree statistics interface
show ethernet-switching interfaces
|
Activate RSTP on all interfaces
1
2
3
| edit protocols rstp
set interface all
|
Activate the bpdu-block-on-edge feature which Shuts down ports configured as edge when receiving a STP BPDU.
1
2
3
4
| edit protocols rstp
set bpdu-block-on-edge
set interface xe-0/0/x edge
|
To automatically re-enable the port that was shutdown by the bpdu-block-on-edge feature and having received a STP BPDU.
1
2
3
4
5
| edit protocols
edit layer2-control bpdu-block
set interface xe-0/0/x
set disable-timeout 180
|
To manually do the same
1
| clear error bpdu interface xe-0/0/x
|
To use legacy STP as opposed to RSTP
1
2
3
| edit protocols rstp
set force-version stp
|
To disable RSTP on a single interface
1
2
3
4
| edit protocols rstp
edit interface xe-0/0/x
set disable
|
Modify RSTP Bridge-Priority
1
2
3
4
5
6
7
| edit protocols rstp
set bridge-priority 20k
or
set bridge-priority 16k
or
set bridge-priority 8k
|
Modify RSTP cost
1
2
3
4
| edit protocols rstp
edit interface xe-0/0/x
set cost <COST>
|
Example:
1
2
3
4
5
6
7
8
| edit protocols rstp
set bridge-priority 20k
set interface ge-0/0/x.0 disable
set interface ge-0/0/y.0 cost 1000
set interface ge-0/0/z.0 edge
set interface ge-0/0/y.0 mode point-to-point
|
MSTP
MSTP provides the same benefits as RSTP, but also provides standardized support to multiple VLANs with different topologies.
Group VLANs
1
2
3
4
| set protocols mstp configuration-name example
set protocols mstp msti 1 vlan [1 3 5] # Assign VLANs 1, 3, and 5 to instance 1
set protocols mstp msti 2 vlan [2 4 6] # Assign VLANs 2, 4, and 6 to instance 2
|
BPDU Protection, Root Protection, and Loop Protection
BPDU Protection
Configured on Edge Ports to drop/block incoming BPDUs and blocks the interface.
To unblock the interface, run
1
| clear error bpdu interface ge-0/0/x
|
or automatically unblock the port after certain time with:
1
2
| edit protocols layer2-control
set bpdu-block disable-timeout <10..3600 SECONDS>
|
With STP enabled
1
| show spanning-tree interface ge-0/0/x.0
|
1
2
3
| edit protocols rstp
set interface ge-0/0/x.0 edge
set bpdu-block-on-edge
|
With STP disabled
1
| show interfaces ge-0/0/x
|
1
2
| edit protocols layer2-control
set bpdu-block interface ge-0/0/x.0
|
Root Protection
Enable Root Protection on ports that should not receive superior BPDUs from the root bridge and should not be elected as the root port. Commonly configured on Aggregation layer Switches torwards Access layer Switches.
1
| show spanning-tree interface
|
1
2
| edit protocols rstp
set interface ge-0/0/x.0 no-root-poort
|
Loop Protection
The loop protection feature provides additional protection against Layer 2 loops by preventing non-designated ports from becoming designated ports. Enable loop protection on all non-designated ports.
Ports that detect the loss of BPDUs transition to the loop inconsistent role, which maintains the blocking state. Port automatically transitions back to previous or new role when it receives a BPDU.
It is recommended when enabling loop protection, enable it on all switch interfaces that have a chance of becoming root or designated ports. It is most effective when it is enable don all switches within the network.
1
2
| show spanning-tree interface
show log messages | match "loop|protect"
|
1
2
| edit protocols rstp
set interface ge-0/0/x.0 bpdu-timeout-action block
|
NOTE: An interface can be configured for either loop protection or root protection but not both.
Rib-groups
- Define
rib-group under the routing-options hierarchy level
1
2
3
4
| edit routing-options rib-groups <RIB-GROUP-NAME>
set import-rib <ROUTING-TABLE-NAME1>
set import-rib <ROUTING-TABLE-NAME2>
|
- Apply the
rib-group to routing protocols, interface routes, or both, as needed
1
2
3
| edit protocols ospf
set rib-group <RIB-GROUP-NAME>
|
1
2
3
| edit routing-options
set interface-routes rib-group <FAMILY> <RIB-GROUP-NAME>
|
1
2
3
| edit routing-options
set static rib-group <RIB-GROUP-NAME>
|
- Create a
routing-policy (optional)
1
2
3
4
5
| edit policy-options policy-statement <POLICY-NAME> term <TERM_NAME>
set to rib <ROUTING-TABLE-NAME>
set from ...
set then ...
|
- Apply the policy to the
rib-group (optional)
The import-policy controls which routes are installed in each routing table.
1
2
3
| edit routing-options rib-groups <RIB-GROUP-NAME>
set import-policy <POLICY-NAME>
|
Mac Limiting
| Juniper Term | Cisco term |
|---|
| Mac Limiting | Port Security |
| Persistent Learning | Sticky MAC |
1
| show ethernet-switching interface xe-0/0/x.0
|
1
2
3
4
5
6
| edit switching-options
edit interface xe-0/0/x.0
set interface-mac-limit <NUMBER>
set interface-mac-limit packet-action drop
set persistent-learning
|
DHCP snooping, DAI (Dynamic ARP Inspection), IP Source Guard
1
2
| show dhcp-security binding [ip-source-guard]
show dhcp-security arp inspection statistics
|
EX Switch
1
2
3
4
5
6
7
8
9
10
11
12
| edit ethernet-switching-options
edit secure-access-port interface xe-0/0/x
set dhcp-trusted
edit secure-access-port interface xe-0/0/y
set no-dhcp-trusted
edit vlan default
set examine-dhcp
set arp-inspection
set ip-source-guard
|
QFX Switch
1
2
3
4
5
6
7
8
| edit vlans default forwarding-options dhcp-security
set arp-instapection
set ip-source-guard
set group TRUSTED overrides trusted
set group TRUSTED interface xe-0/0/x.0
set group STATIC-binding interface xe-0/0/x.0 static-ip <IP_ADDRESS> mac <MAC_ADDRESS>
|
LAGs - LACP - Aggregated Ethernet
802.3as standard. Link aggregation combines multiple Ethernet interfaces into a single link layer interface, also known as a Link Aggregation Group (LAG) or bundle.
- Full duplex and link speed must match
- Up to 16 member links per LAG
- Member links do not need to be contiguous ports, nor must they be on the same switch when part of a Virtual Chassis
LACP exchanges are made between actors and partners:
- Actor: Local interface
- Partner: Remote interface
LACP exchanges protocol data units (PDUs) across all member links to ensure that each physical interface is configured and is functioning properly.
1
2
3
4
| show lacp interfaces
show lacp statistics interfaces
show interfaces terse | match ae
show interfaces extensive ae0.0 | find "LACP Statistics:"
|
- Create aggregated Ethernet interfaces
1
| set chassis aggregated-devices ethernet device-count <NUMBER_OF_aeX_INTERFACES>
|
- Configure the aggregated Ethernet interface and associate desire dmember links with the LAG
1
2
3
4
5
6
| set interfaces ae0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members all
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ge-0/0/x ether-options 802.3ad ae0
set interfaces ge-0/0/y ether-options 802.3ad ae0
|
Optional.
Set LACP exchange speed rate
1
2
| edit interfaces ae0 aggregated-ether-options lacp
set periodic (fast|slow)
|
Configuring Routed VLAN interfaces
1
2
3
4
5
6
7
| edit vlans
set example l3-interface vlan.100
top
edit interfaces vlan
set unit 100 description Example
set unit 100 family inet address 192.168.100.2/24
|
Firewall filters
Firewall filters are not stateful firewall rules, but stateless packet filters just like Cisco IOS ACLs.
Port-based and VLAN based filters use the family ethernet-switching option, while router-based filters use family inet or family inet6 depending on traffic type.
- Input order: Rx Packet, Port Filter, VLAN Filter, Router Filter
- Output order: Router Filter, VLAN Filter, Port Filter, Tx Packet
NOTE: A router-based filter that is applied to an integrated routing and bridging (IRB) does not apply to switched packets in the same VLAN.
Junos OS
When a Firewall Filter is applied, the software discards (drops silently) all traffic not explicitly enabled.
[edit firewall family inet]: IPv4 filters for Layer 3 interfaces[edit firewall family inet6]: IPv6 filters for Layer 3 interfaces[edit firewall family ethernet-switching]: Filters for Layer 2 interfaces
1
2
3
4
5
| edit firewall family inet
edit filter sample-filter
set term block-bad-subnet from source-address 192.168.0.0/24 then discard
set term access-all then accept
|
Applying the Firewall filter to an interface
1
| set interfaces vlan.2 family inet filter input|output sample-filter
|
Applying the Firewall filter to an entire vlan
1
| set vlans <VLAN_NAME> filter input|output sample-filter
|
Cisco IOS
1
2
| access-list 100 deny ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip any any
|
MAC limiting
By default, interfaces have no defined limit on the number of MAC addresses they can learn.
- VLAN can be configured to limit the number of times, a MAC address can move to a new interface within a period of time.
- Interface can be configured to only learn a certain number of MAC addresses or to process traffic only from specific MAC addresses.
Use MAC limiting to protect the network by:
- Limiting the number of MAC addresses learned on a port
- Preventing MAC address spoofing by explicitly configured accepted MAC addresses for a port
- Monitoring MAC address movement between the ports in a VLAN
MAC move limitng is enabled on a per-VLAN basis. For example, if MAC address moves more than the configured limit within one second, the switch performs the configured action.
When a MAC address or MAC move limit is exceeded, the switch can perform one of the following actions.
| Action | Description |
|---|
| none | Does nothing |
| drop | Drops the packet and generates an alarm, an SNMP trap, or a system log entry. |
| log | Does not drop the packet but generates a system log entry. |
| drop-and-log | Drops the packet and generates an alarm, an SNMP trap, or a system log entry. |
| shutdown | Disables the port, blocks data traffic, and generates a system log entry. |
Use recovery-timeout # under family ethernet-switching interface hierarchy to recover the port automatically. Otherwise, manually clearing the disable port is required to recover it running clear ethernet-switching recovery-timeout.
Configuration example for Static Source MAC addresses
1
2
3
| show ethernet-switching interface ge-0/0/x
show log messages | match l2ald
clear ethernet-switching recovery-timeout interface ge-0/0/x
|
1
2
| set interfaces ge-0/0/x.0 accept-source-mac mac-address XX:XX:XX:XX:XX:XX
set interfaces ge-0/0/x.0 accept-source-mac mac-address YY:YY:YY:YY:YY:YY
|
1
2
| set interfaces ge-0/0/x.0 interface-mac-limit 2
set interfaces ge-0/0/x.0 interface-mac-limit packet-action log|drop|shutdown|drop-and-log
|
1
| set vlans <VLAN_NAME> switch-options mac-move-limit 1 packet-action shutdown
|
Persistent MAC Learning
Persistent MAC learning or “Sticky MAC” enables the retation of dynamically learned MAC addresses on a port even after the switch is reloaded or the port is bounced.
User the clear ethernet-switching table persistent-learning to clear the persistent MAC address entry from the interface.
If the original port is down when moving the device, then the new port learns the MAC address and the device can connect. But if the original port comes up the original entry is re-installed and the devices now in the new port looses connectivity.
1
| show ethernet-switching table
|
1
| set switch-options interface ge-0/0/x.0 persistent-learning
|
MACsec
Terms:
- CKN - Connecitivty Association Key Name
- CAK - Connecitivty Association Key
- MKA - MACsec Key Agreement
- SAK - Secure Association Key
Configuring static Connectivity Association Key (CAK) security mode:
- Create connectivity association:
1
| set security macsec connecitivty-association <CA_NAME>
|
- Configure the MACsec mode as static CAK:
1
| set security macsec connecitivty-association <CA_NAME> security-mode static-cak
|
- Configure the preshared key with the Connecitivty Associate Key Name (CKN) and CAK:
1
2
| set security macsec connecitivty-association <CA_NAME> pre-shared-key ckn <HEXADECIMAL_NUMBER>
set security macsec connecitivty-association <CA_NAME> pre-shared-key cak <HEXADECIMAL_NUMBER>
|
- Associate interfaces with the connecitvity association:
1
| set security macsec interfaces <INTERFACE_NAME> connectivity-association <CA_NAME>
|
Example:
1
2
3
4
5
6
| edit security macsec
set connectivity-association ca1
set connectivity-association ca1 security-mode static-cak
set connectivity-association ca1 pre-shared-key ckn <HEXADECIMAL_NUMBER>
set connectivity-association ca1 pre-shared-key cak <HEXADECIMAL_NUMBER>
set interfaces xe-0/1/0 connectivity-association ca1
|
1
2
| show security macsec connections
show security mka statistics
|
DHCP snooping
Attackers can exploit DHCP by setting up a rogue DHCP server, effectively launching a denial of service (DoS) attack. DHCP snooping inspects all DHCP packets on untrusted ports.
- By default, Junos OS detects access ports as untrusted and trunk ports as trusted
- DHCP Servers should be behind trusted ports
DHCP snooping supports DHCP option 82, aka the DHCP relay agent information option.
EX Series switch implementation of option 82 contains three sub-options:
- circuit-id - Identifies the circuit (interface, VLAN or both) on the switch on which the request was received. Example:
ge-0/0/10:vlan1 or ge-0/0/10 - remote-id - Identifies the host. By default, it is the MAC address of the Switch but it could be the hostname of the Switch, the interface description, or a character string of your choice.
- vendor-id - Identifies the vendor of the host. If enabled but not specified the value
Juniper is used.
The DHCP Server must be configured to accept Option 82 if enabled on Network devices.
1
2
3
4
5
6
| show dhcp-security binding
clear dhcp-security binding
clear dhcp-security binding vlan <VLAN_ID>
clear dhcp-security binding interface <INTERFACE_NAME>
clear dhcp-security binding ip-address <IP_ADDRESS>
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| # Enabling dhcp security features under forwarding-options automatically turns on DHCP snooping
set vlans <VLAN_NAME> forwarding-options dhcp-security
# Overrides default behavior and enables specified access interface to receive DHCP server traffic (DHCPOFFER, DHCPACK, DHCPNAK). Default setting to Trunk ports.
# DHCP Servers should be behind trusted ports
set vlans <VLAN_NAME> forwarding-options dhcp-security group trusted-1 overrides trusted
set vlans <VLAN_NAME> forwarding-options dhcp-security group trusted-1 interface ge-0/0/x.0
# Access ports are untrusted by default anyway...
set vlans <VLAN_NAME> forwarding-options dhcp-security group untrusted interface ge-0/0/y.0
set vlans <VLAN_NAME> forwarding-options dhcp-security group untrusted interface ge-0/0/z.0
# Optional. Add Static Entries for hosts with ARP disabled
set vlans <VLAN_NAME> forwarding-options dhcp-security group untrusted interface ge-0/0/z.0 static-ip X.X.X.X mac XX:XX:XX:XX:XX:XX
|
Keep the DHCP Snooping database persistent across reboots
1
2
3
| edit system processes
set dhcp-service dhcp-snooping-file /var/tmp/dhcp-snooping-database
set dhcp-service dhcp-snooping-file write-interval 60
|
1
2
| file show /var/tmp/dhcp-snooping-database
show dhcp-security binding statistics
|
Persistent Dynamic ARP Inspection (DAI)
DHCP snoooping must be enabled for DAI to work
Dynamic ARP Inspection (DAI) examines ARP requests and responses on the LAN. Each ARP packet received on an untrusted access port is validated against the DHCP snooping database. By validating each ARP packet received on untrusted access ports, DAI can prevent ARP spoofing. If the DHCP snooping database does not contain an IP address-to-MAC entry for the information within the ARP packet, DAI drops the ARP packet, preventing the propagation of invalid host address information. DAI also drops ARP packets when the IP address in the packet is invalid because DAI depends on the entries found within the DHCP snooping database. ARP packets bypass DAI on trusted ports.
1
2
3
4
| show arp
show dhcp-security binding
show dhcp-security arp inspection statistics
show log messages | match DAI
|
DAI is enabled per VLAN and not on individual ports
DAI must set ports to Trusted on those ports which connects to Hosts configured with an Static IP address in order to accept ARP packets to pass
1
2
3
4
5
6
| # Enable DAI
set vlans <VLAN_NAME> forwarding-options dhcp-security arp-inspection
# DAI must set ports to Trusted on those ports which connects to Hosts configured with an Static IP address in order to accept ARP packets to pass
set vlans <VLAN_NAME> forwarding-options dhcp-security group group-1 overrides trusted
set vlans <VLAN_NAME> forwarding-options dhcp-security group group-1 interface ge-0/0/x.0
|
ARP packets are sent to the Routing Engine (RE). To prevent CPU overloading, Junos OS retes limit these ARP packets hitting the RE.
IP Source Guard
IP Source Guard checks the source IP and MAC address in packets entering untrusted ports agains the DHCP snooping database. Packets failing this check are discarded.
IP Source Guard is enabled per VLAN and it check packets only on untrusted access interfaces and never on Trunk interfaces or trusted access interfaces.
IP Source Guard prevents IP spoofing attacks by:
- Inspecting IP packets on untrusted ports and validating them against the DHCP snooping database
- Check if the source MAC address of the IP packet matches a valid entry in the DHCP snooping database
- If no IP-MAC entry in the database corresponds to the information in the IP packet, IP source guard drops the IP packet
1
2
| show dhcp-security binding
show dhcp-security binding ip-source-guard
|
1
| set vlans <VLAN_NAME> forwarding-options dhcp-security ip-source-guard
|
802.1X user authentication features is applied in one of the three modes:
- Single supplicant: Works with IP source guard
- Single-source supplicant: Does not work with IP source guard
- Multiple supplicant: Does not work with IP source guard
Define a Static IP-MAC under dhcp-security for those hosts with Static IP address configured.
Graceful Routing Engine Switchover (GRES)
Enables system control to switch from the primary RE to the backup RE with minimal interruption to network communications by synchronizing the kernel tables and Packet Forwarding Engine (PFE) tables. This feature requires redundant REs or Virtual Chassis
Nonstop Acting Routing (NSR)
Provides high availability in a Switch with redundant REs or on a Virtual Chassis by enabling transparent switchover of the REs without requiring a restart of supporting routing protocols by synchronizing the Routing Protocol Process (rpd) and routing information.
Nonstop Briding (NSB)
Provides high availability in a Switch with redundant REs or on a Virtual Chassis by enabling transparent switchover of the REs by enabling transparent switchover of the REs without requiring a restart of supported L2 protocols by synchronizing the RE process and switching information.
Routing
1
2
3
4
5
| show route hidden
show route <NETWORK>
show route <NETWORK> exact
show route <NETWORK> exact detail
show route <NETWORK> exact extensive
|
| Junos OS | Cisco IOS |
|---|
| show route | show ip route |
| show bgp summary | show ip bgp summary |
| show bgp neighbor | show ip bgp neighbor |
| show ospf … | show ip ospf |
| Junos OS | Cisco IOS |
|---|
| Route Preference | Administrative Distance |
| Same Route Preference for IBGP and EBGP by default | IBGP has higher Administrative Distance than EBGP routes |
Route Preference Values
| Source | Default Preference |
|---|
| Direct | 0 |
| Local | 0 |
| Static | 5 |
| OSPF internal | 10 |
| RIP | 100 |
| Aggregate | 130 |
| OSPF AS external | 150 |
| BGP (both EBGP and IBGP) | 170 |
Static Routes
1
| set routing-options static route 192.168.7.0/24 next-hop 192.168.2.1
|
Configure Static Route to Null0
reject device will reply with an ICMP Network Unreachable back to the sourcediscard will drop the packet silently
1
2
3
| set routing-options static route 192.168.7.0/24 reject
set routing-options static route 192.168.8.0/24 discard
|
1
2
3
4
| edit routing-options
set static route 10.11.0.0/24 next-hop 192.168.3.1
set static route default next-hop 192.168.1.1
|
Multiple next-hops - Qualified Next Hop
Qualified Next Hop in Juniper is the equivalent to Floating Static Route in Cisco. It is about configuring a 2nd Static Route to the same destination with a less preferred Route Preference.
1
2
3
4
5
| edit routing-options
edit static route 10.12.0.0/24
set qualified-next-hop 192.168.2.15 preference 15
set qualified-next-hop 192.168.3.15 preference 30
|
Recursive static route
Requires the parameter resolve for next-hop not in the Routing Table as direct
1
| set routing-options static route 3.3.3.3/32 next-hop 192.168.1.32 resolve
|
OSPF
1
2
3
4
5
| show ospf statistics
show ospf database
show ospf interface
show ospf neighbor
show route protocol ospf
|
1
2
3
4
5
6
7
8
9
10
11
12
| edit protocols ospf
set area 2 interface vlan.5
set area 2 interface ge-0/0/4.0
set area 2 interface ge-0/0/4.0 passive
set area 2 interface vlan.5 metric 200
set area 2 stub
set area 3 nssa
set area 2 stub default-metric 1
set area 3 deafult-lsa default-metric 1
|
NOTE: Loopback interfaces are set to passive implicitly in OSPF by Junos OS
Redistribute from Static Routes to OSPF
1
2
3
4
5
6
7
8
9
10
11
12
| edit policy-options
edit policy-statement static-to-ospf
edit term match-internal-static
set from protocols static
set from route-filter 192.168.0.0/16 orlonger;
set then metric 100
set then external type 2
set then accept
edit protocols ospf
set export static-to-ospf
|
OSPF authentication
1
2
| edit protocols ospf area 0.0.0.2
set interface vlan5 authentication md5 1 key <SUPER_SECRET_KEY>
|
OSPF interface type
1
2
| edit protocols ospf area 0
set interface all interface-type p2p
|
Set Router-ID
1
2
| edit routing-options
set router-id 10.10.10.10
|
Debug OSPF
1
2
3
4
| set protocols ospf traceoptions file ospf-trace
set protocols ospf traceoptions flag error detail
set protocols ospf traceoptions flag event detail
show log ospf-trace
|
Summarize in OSPF
1
2
3
4
5
| edit protocols ospf
edit area <X>
set area-range 192.168.0.0/21
or
set nssa area-range 192.168.0.0/21 [restrict]
|
Storm Control
Storm control monitors traffic levels and drops traffic when the threshold (storm control level) is exceeded. Prevents traffic from proliferating and degrading the LAN. The storm control feature ensures that traffic storms do not degrade LAN performance.
When the storm control level is exceeded, the switch can either:
- Drop offending traffic (default) or
- Shut down the interface through which the traffic is passing.
Using the default configuration, all broadcast, multicast, and unknown unicast (BUM) traffic that exceed 80 percent is dropped.
1
2
3
| show interfaces xe-0/0/x extensive
show ethernet-switching interface xe-0/0/x
show log messages | match l2ald | match xe-0/0/x
|
When action-shutdown is configured, this commands manually recovers the port.
1
| clear ethernet-switching recovery-timeout
|
Example 1:
1
2
3
4
5
| edit forwarding-options
set storm-control-profiles drop-at-1G-profile all bandwidth-level 1000000
top
set interfaces xe-0/0/x.0 family ethernet-switching storm-control drop-at-1G-profile
|
Example 2:
1
2
3
4
5
6
7
8
| edit forwarding-options
set storm-control-profiles my-profile all bandwidth-level 5000
set storm-control-profiles my-profile action-shutdown
top
set interfaces xe-0/0/x.0 family ethernet-switching storm-control my-profile
set interfaces xe-0/0/x.0 family ethernet-switching recovery-timeout 3600
|
RTG - Redundant Trunk Group
RTGs are used as an alternative to STP on trunk ports in redundant enterprise networks. RTG is typically only configured on access switches. RTG and STP are mutually exclusive on a given port.
1
| show redundant-trunk-group
|
1
2
3
| edit switch-options redundant-trunk-group
set group <RTG_NAME> interface xe-0/0/x.0 primary
set group <RTG_NAME> interface xe-0/0/y.0
|
Optional.
1
| set group <RTG_NAME> preempt-cutover-timer 30 # this is in seconds
|
Graceful Routing Engine Switchover (GRES)
Minimize downtime during Routing Engine Transitions. GRES often works in conjunction with NSR (Non-Stop Routing) to maintain uninterrupted control plane operation during a switchover event.
1
2
3
4
| set virtual-chassis member 0 mastership-priority
set virtual-chassis member 1 mastership-priority
set chassis redundancy graceful-switchover
|
IRB Bridging
IRB interfaces are used to do inter-vlan Routing. They are the equivalent to Cisco SVIs.
IRBs must be associated with a VLAN and must have an operational L2 interface participating in that VLAN before they become operational.
All EX-Series switches running ELS (Enhanced Layer 2 Software) support IRBs as well as other Layer 3 routing operations.
1
2
3
4
5
6
7
8
9
10
| set vlans blue vlan-id 10 l3-interface irb.10
set vlan green vlan-id 20 l3-interface irb.20
set interfaces irb.10 family inet address 192.168.10.1/24
set interfaces irb.20 family inet address 192.168.20.1.24
delete interfaces xe-0/0/x.0 family inet
delete interfaces xe-0/0/y.0 family inet
set interfaces xe-0/0/x.0 family ethernet-switching vlan members blue
set interfaces xe-0/0/y.0 family ethernet-switching vlan members green
|
Load Balancing
This is ECMP (Equal Cost Multi-Path)
- Per packet (not recommended)
- Per flow. This is the one we are configuring
1
2
| show route 1.1.1.1
show route forwarding-table | match 1.1.1.1 # Here is where we should the ECMP entry
|
1
2
3
4
5
6
| edit policy-options policy-statement load-balance-loopback
set from route-filter 1.1.1.1/32 exact
set then load-balance per-packet # this actually means "per flow"
top edit routing-options
set forwarding-table export load-balance-loopback
|
Filter-Based Forwarding
This is like PBR (Policy-Based Routing) in Cisco IOS.
1
2
3
4
| show firewall family inet filter customer-servers
show route-instances
show route table ISP-A.inet.0
show route table ISP-B.inet.0
|
Step 1
1
2
3
4
5
6
7
8
| edit firewall family inet filter customer-servers
set term match-serverA-subnet from source-address 12.1.1.0/24
set term match-serverA-subnet then routing-instance ISP-A
set term match-serverB-subnet from source-address 12.2.2.0/24
set term match-serverB-subnet then routing-instance ISP-B
edit interfaces ge-0/0/x.0 family inet
set filter input customer-servers
|
Step 2
1
2
3
4
5
| edit routing-instances
set ISP-A instace-type forwarding
set ISP-A routing-options static route 0/0 next-hop 10.1.0.2
set ISP-B instace-type forwarding
set ISP-B routing-options static route 0/0 next-hop 10.1.0.6
|
Step 3
1
2
3
4
5
| edit routing-options
set rib-group FBF-rib-group import-rib [inet.0 ISP-A.inet.0 ISP-B.inet.0]
set interface-routes rib-group inet FBF-rib-group
set rib-group FBF-rib-group import-policy <POLICY_NAME> # optional
|
BGP
1
2
3
4
5
| show bgp summary
show bgp neighbor
show route protocol bgp
show route receive-protocol bgp <NEIGHBOR-ADDRESS>
show route advertising-protocol bgp <NEIGHBOR-ADDRESS>
|
1
2
3
4
5
6
7
8
9
| edit routing-options
set autonomous-system <ASN>
top
edit protocols bgp
edit group <GROUP-NAME>
set type external
set neighbor <NEIGHBOR_IP>
set peer-as <PEER_ASN>
|
Redistribute connected into BGP
1
2
3
4
5
6
7
| edit policy-options policy-statement BGP-connected
set term 1 from protocol direct
set term 1 then accept
top
edit protocols bgp group <GROUP-NAME>
set export BGP-connected
|
References
