Juniper

PlAwAnSaI · Mar 28, 2011

Service Provider Routing and Switching Certification Track:

www.juniper.net/us/en/training/certification/certification-tracks/sp-routing-switching-track

Juniper Networks Learning Paths:
www.juniper.net/assets/cn/zh/local/pdf/training/certification-paths-by-credential.pdf
sh configuration,sh ver,show interface terse,show interfaces [intfc] detail,show route,..
networking.ringofsaturn.com/Cisco/ciscojuniper.php
JUNOS Internet Software Configuration Guide: Getting Started
www.juniper.net/techpubs/software/junos/junos57/swconfig57-getting-started/html
mellowd.co.uk/ccie/?paged=8&tag=juniper

WHAT IS JUNOS?

It's Different and That's Okay
It's Cool
FreeBSD UNIX
Modular Architecture
Independent Process
Hierarchy of Design

JUNOS RUNS THE WORLD
AND MOST OF THE JUNIPERS EQUIPMENT:

From Branch to Core
From Router to Switch to Firewall
Same Source Code Base

DESCRIBING THE FUNCTIONS OF THE CONTROL AND
FORWARDING PLANE:

Control is Key
Routing Engine (RE)
Routing Table (RT)
Forwarding Table (FT)
Packet Forwarding Engine (PFE)
Completely Separate Planes

THE CONTROL PLANE:

Is the Intelligence of the Platform
Routing Tables
Bridging Table
Primary Forwarding Engine

THE FORWARDING PLANE:

ASIC Based
Forwarding Table Copy
It does the Leg Work

The Junos OS CLI compare with Cisco
The Basics:

% cli = ena
> edit / configure = conf t
# set system root-authentication plain-text-password = username root password
# show system = sho run xxx
# show system | display set
# show interface | display set = sho run int
> show interfaces terse = sho ip int bri
> show configuration | display set

Separate%2BControl%2Band%2BForwarding%2BPlanes.png

Platforms Running the Junos OS

M Series Multiservice Routers can be deployed in both high-end enterprise and service-provider environments.
T Series Core Routers is ideal for service provider environments and is deployed within the core of those networks.
J Series Services Routers are deployed at a branch and remote locations in the network.
MX Series Ethernet Services Routers is targeted for dense dedicated access aggregation and provide edge services in medium and large POPs.
EX Series Ethernet Switches are designed for access, aggregation, and core deployments and are well for enterprise and data center.
SRX Series Services Gateways is designed to meet the network and security in both enterprise and service provider environments.
The Junos OS is compartmentalized into multiple software processes. Each process runs in its own protected memory space, ensuring that one process cannot directly interfere with another. This modularity also ensures that new features can be added with less likelihood of breaking current functionality are some advantages of the Junos OS.
The primary functions of the control plane are to maintain routing intelligence, control and monitor the chassis, and manage the Packet Forwarding Engine (PFE). The primary functions of the forwarding plane are to forward packets and to implement advanced services.
Transit traffic is forwarded through the PFE on platforms running the Junos OS, based on the forwarding table installed on the PFE. Exception traffic is processed locally by the platform running the Junos OS by either the PFE or the RE depending on the type of traffic. Host-bound packets, such as protocol and management traffic, are passed directly to the RE for processing, while traffic requiring ICMP error message responses is typically handled by the PFE.
> ?
> clear ?
> help topic interfaces ?
> help topic interfaces address
> help reference interfaces address
edit - functions like a CD command
up - moves up one level
up n - moves up n levels
top - moves to the top of the hierarchy
exit - moves to the previous, higher level in the hierarchy or exits configuration mode if at the top level of the hierarchy
Two primary modes exist within the Junos OS: the operational mode and the configuration mode. A third mode also exists in the form of the FreeBSD shell.
Type configure at the operational mode prompt to enter configuration mode which allows to make configuration changes.
Use the operational mode to monitor and troubleshoot the software, network connectivity, and hardware. Use the configuration mode to configure a device running the Junos OS, including interfaces, protocols, user access, and system hardware.
Use the Spacebar to complete a command and the Tab key to complete a variable.
The top command is the quickest method of returning to the top of the hierarchy.
The active configuration has been committed and is in use, whereas the candidate configuration is not active until performing a commit operation.
The show | compare command displays the differences between the currently active and candidate configurations.

Code:
http://mozquito-network.blogspot.com/2013/11/configure-junos-part-1.html

Juniper Networks Certified Internet Associate (JNCIA) Study Guide
Juniper Networks Certified Internet Professional (JNCIP) Study Guide
Juniper Networks Certified Internet Expert (JNCIE) Study Guide

Code:
https://kb.juniper.net/kb/documents/public/junos/StudyGuides

The Routing Engine is the intelligence of the router. It operates the routing protocols and builds a routing and forwarding table. The forwarding table is copied to the Packet Forwarding Engine, where the actual transmission of user data packets is handled.
The JUNOS software is stored on the internal flash drive, the internal hard drive, and the removable flash media. When the router begins to boot, the removable media is checked first, followed by the internal flash drive, and finally the internal hard drive.
May save the router's configuration to the hard drive with the save command. The load command restores files to the candidate configuration. The candidate configuration becomes the active configuration with the commit command. Can easily return to a previous configuration with the rollback command.
There are four main ASICs used in the Packet Forwarding Engine: the Internet Processor ASIC, the Distributed Buffer Manager ASIC, the I/O Manager ASIC, and the PIC I/O Manager ASIC.

A packet is received on an interface (1,2) and is segmented into J-cells by the I/O Manager ASIC (3). The Distributed Buffer Manager ASIC stores the packet in the shared memory pool (4-6). The Internet Processor ASIC performs a route lookup (7) and sends the result to the Distributed Buffer Manager ASIC (

, which forwards it to the outgoing I/O Manager ASIC (9). After queuing the packet, the I/O Manager ASIC receives the J-cells from the memory pool (10) and re-forms the packet (11). It is sent to the outgoing PIC I/O Manager ASIC for transmission into the network (12).

PlAwAnSaI · Nov 1, 2016

An exception packet could be a routing protocol update, a locally addressed packet, or a packet requiring the generation of an ICMP error message. The CPU on the router's control board handles these exception packets and performs the appropriate action.
Operates routing protocols, loads the JUNOS software, and controls the CLI are the functions of the Routing Engine.
The Routing Engine performs multiple functions, including operating the routing protocols on the router, loading the JUNOS software, and controlling the CLI. The Packet Forwarding Engine controls packet forwarding.
Routing Engine router component is responsible for creating the forwarding table.
The Routing Engine builds the master routing table, selects the best path to each route, and places those next hops into the forwarding table.
The PIC I/O Manager ASIC is responsible for transmitting packets function.
The PIC I/O Manager ASIC is responsible for receiving and transmitting data packets from the physical media connected to the PIC.
The Internet Processor ASIC is responsible for performing route lookups function.
The Internet Processor ASIC consults the forwarding table on the control board to determine the next-hop router along the path to the destination.
The I/O Manager ASIC is responsible for creating J-cells function.
The I/O manager ASIC is responsible for multiple functions in the router. One of those is the creation of J-cells from the original data packet.
The Distributed Buffer Manager ASIC is responsible for storing packets in memory function.
The primary role of the Distributed Buffer Manager ASIC is storing and retrieving J-cells from the packet storage buffer.
A unicast packet is flowing through the Packet Forwarding Engine. Incoming I/O Manager ASIC receives the packet after the incoming PIC I/O Manager ASIC performs its functions.
After receiving the packet from the physical media and performing any link-layer functions, the incoming PIC I/O Manager ASIC sends the packet to the incoming I/O Manager ASIC on its FPC.
Switching control board CPU component of the router is responsible for handling exception packets.
The CPU on the router's control board is responsible for handing exception packets. Some of those exception packets might reach the Routing Engine.
IP packets with TTL=1 and Routing protocol updates are considered exception packets.
Routing protocol updates and packets requiring an ICMP error message (TTL=1) are considered exception packets. A Juniper Networks router does not communicate using the HTTP or SMTP protocols. Therefore, these packets must be transiting the router and are handled by the Packet Forwarding Engine.
mgd JUNOS software daemon is responsible for operating the CLI.
The Management Daemon (mgd) is responsible for controlling the CLI process.
rpd JUNOS software daemon is responsible for controlling the routing protocols.
The Routing Protocol Daemon (rpd) is responsible for all routing protocol activity on the router.
When issued from the top of the configuration hierarchy, save saved-file command creates a file called saved-file that contains the entire candidate configuration.
The save command takes portions of the candidate configuration and places them in a file you specify. When used from the top of the hierarchy, this process saves the entire candidate configuration.
rollback 5 command places the juniper.conf.5.gz file in the candidate configuration.
load override juniper.conf.5.gz and load merge juniper.conf.5.gz will look for the juniper.conf.5.gz file in the user's home directory, where it is not stored by default.
/var/home is the router store each user's home directory.
Each user configured on the router receives his or her own home directory in the /var/home section of the hard drive.
Internal flash drive is the primary boot media for the JUNOS software.
The router's internal flash drive is the primary boot location for the JUNOS software.
Internal hard drive is the secondary boot media for the JUNOS software.
The router's internal hard drive is the secondary boot location for the JUNOS software.
request system software add filename command loads a new version of the JUNOS software into the internal flash drive.
The request system software add filename command loads a copy of the JUNOS software onto the router's flash drive.
Ctrl+A Emacs keystroke takes the cursor to the beginning of the command line.
To reach the beginning of the command line, use the Ctrl+A keystroke. Ctrl+E takes you to the end and Ctrl+W deletes the previous word. Ctrl+D closes your terminal during a load merge terminal operation.
load merge terminal command allows you to paste text directly into the candidate configuration.
The load merge terminal command allows you to cut and paste configuration directly into the router.
When committing configuration, commit confirmed command allows the router to automatically return to a previous configuration.
The commit confirmed command allows the router to return to the previous configuration automatically if don't issue a regular commit within the default 10-minute timer.
The format consists of a two-character media type designator followed by the FPC slot number, the PIC slot number within an FPC, the port number on the PIC, and the logical unit. the format is media_type-fpc/pic/port.unit.
Each Juniper Networks router contains the fxp0 and fxp1 permanent interfaces. All interfaces contained on a PIC are considered transient because they can be removed at any time.
The inet, inet6, iso, and mpls protocol families are configurable on a Juniper Networks interface.
Each interface in the JUNOS software requires some logical properties. These often include the Layer 3 and Layer 2 addressing information for enabling proper network operation.
The show interfaces extensive command, information such as the current status, input/output byte and packet statistics, and input/output error counters are available in the command output.
Both loopback and BERT testing help to locate trouble spots on a physical network circuit.
Type, FPC, PIC, and port is the order of elements in the JUNOS software interface naming convention.
The order is the media type, FPC slot number, PIC slot number, and PIC port number.
0 through 7, left to right are the FPC slot numbers for an M40e numbered.
An M40e has eight vertical FPC slots. They are numbered 0 through 7, left to right.
0 through 3, right to left are the PIC slots numbered on an M20 FPC.
An M20 has four PIC slots in each FPC. Since the FPC has a horizontal orientation, the PIC slots are numbered 0 through 3, right to left.
Permanent and transient are two different types of interfaces on a Juniper Networks router.
Juniper Networks routers have two types of interfaces: permanent and transient.
Keepalives, Description, and FCS are the example of a physical interface configuration.
Only the protocol address is a logical property of an interface.

PlAwAnSaI · Nov 27, 2016

DLCIs number and Protocol MTU are both examples of a logical interface configuration properties.
Scrambling and description are physical properties.
The router assigns a /32 prefix length to an IPv4 address if you do not specify one in the configuration.
In the absence of a prefix length, the router assumes a 32-bit prefix length for an IPv4 address.
show interfaces so-* terse command displays the status of all SONET interfaces on the router.
An asterisk ( * ) may be used as a wildcard character. The command show interface so-* terse will display the status of all SONET interfaces on the router.
An interface has multiple IP addresses configured. The interface's primary address is the lowest numbered address on the interface.
An interface contains only a single primary address and, by default, it is the lowest numerical prefix on the interface.
The configuration is ignored and not applied is the result of using the deactivate command.
When an interface has been deactivated, the interface is marked inactive and the configuration statements are ignored when the candidate configuration is committed.
In the show interfaces extensive output, Input Errors field displays framing errors.
Input Errors are the sum of the incoming frame aborts and FCS errors.
input L3 incompletes field in the show interfaces extensive output displays received packets with a damaged IP header.
The input L3 incompletes field is a counter that is incremented when the incoming packet fails Layer 3 (usually IPv4) checks of the header.
A Frame Relay interface is configured to support DLCI values 40, 50, and 60. Incoming frames show a DLCI 45 at input L2 channel errors field in the show interfaces extensive output.
The input L2 channel errors field is a counter that increments when the software cannot find a valid logical interface for an incoming frame.
Time for a bit of JunOS
mellowd.co.uk/ccie/?p=565
The Death of TRILL
networkingnerd.net/2016/05/11/the-death-of-trill
JunOS - The basics
mellowd.co.uk/ccie/?p=672
JunOS vs IOS - Basic OSPF
mellowd.co.uk/ccie/?p=687
Recovering the Root Password
www.juniper.net/documentation/en_US/junos16.1/topics/task/configuration/authentication-root-password-recovering.html
[EX] While booting up, switch stuck in db> mode
kb.juniper.net/InfoCenter/index?page=content&id=KB20635
สร้าง Client Windows 7 ใน GNS3 โดยใช้ VirtualBox
www.ninehua.com/index.php/download/doc_download/7-client-windows-7-gns3-virtualbox
/31's effect on routing protocols
mellowd.co.uk/ccie/?p=937
Upgrading JUNOS
mellowd.co.uk/ccie/?p=1135
Upgrading the compact flash on a Juniper M10 (RE2.0, RE333)
mellowd.co.uk/ccie/?p=1188
Missing mandatory statement: 'root-authentication'
root@Olive# set system root-authentication plain-text-password
Partition a Juniper router into logical systems
mellowd.co.uk/ccie/?p=2290
First JUNOS logical topology
mellowd.co.uk/ccie/?p=2321
aconaway.com/2012/07/31/junos-basics-configuring-bgp
Getting started with JUNOS routing policy
mellowd.co.uk/ccie/?p=2358
JUNOS hard-disk recovery
mellowd.co.uk/ccie/?p=2456

Cisco > Juniper command:

show bgp vrf B0 ipv4 unicast neighbor 10.185.161.210 advertised-routes > show route advertising-protocol bgp 10.185.161.210 table B0
show bgp vrf B0 ipv4 unicast neighbor 10.185.161.210 advertised-routes | inc pre > show bgp neighbor instance B0 10.185.161.210 | match Adv
show ip interface brief | include 10.97.83.133 > show interfaces terse | match 10.97.83.133
show run router bgp 69 vrf B0 > show configuration routing-instances B0 protocols bgp group CI

The IP address 10.1.1.1 belongs to Class A of IP address space
An IPv6 address consists of 128 bits separated into eight 16-bit hexadecimal sections
LSPs (MPLS label-switched paths) are unidirectional, can follow paths other than the IGP's shortest path
End hosts determine the path MTU for IPv6 and Packet fragmentation occurs at intermediate nodes for IPv4 are two ways that packet fragmentation is handled differently between IPv6 and IPv4
Configuring Static Routing:
# set routing-options static route 99.0.0.0/17 next-hop 10.0.0.6
> show route protocol static

inet.0: 39 destinations, 39 routes (39 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

99.0.0.0/17 *[Static/5] 00:00:06
> to 10.0.0.6 via ge-0/0/1.0
99.0.0.0/19 *[Static/5] 00:01:05
> to 10.2.0.10 via ge-0/0/2.0
99.0.0.0/24 *[Static/5] 00:01:05
> to 10.2.0.14 via ge-0/0/3.0
99.0.0.0/26 *[Static/5] 00:01:05
> to 10.2.0.18 via ge-0/0/6.0
There are four static routes that route traffic through different interfaces.ge-0/0/6 interface does the router use if traffic is sent to the 99.0.0.1 destination
14 host addresses are available in the 172.27.0.0/28 network
Benefits of using IPv6:
- Supports a greater level of security by integrating features that were optional add-ons in IPv4
- Reduces administrative overhead using stateless address autoconfiguration for hosts
- Eliminates the need for private to public NAT using a large address pool
The forwarding table is stored on both the RE and PFE

PlAwAnSaI · Sep 26, 2017

JNCIA:

OSPF hello packets that are sent from a remote router and are destined for the local router and Telnet traffic that is sent from a remote host and is destined for the local router are two examples of RE exception traffic.
A BGP router only uses the MED attribute, by default, when multiple routes in the Adjacency-RIB-In table have arrived from the same neighbouring AS.
By default, a Response message carries 25 route entries. When plain-text authentication is configured, one route entry is used to store the authentication data. Therefore, only 24 route entries can be advertised in this scenario. Using MD5 authentication, however, requires the use of two route entries, leaving a capacity of 23 RIP routes in the message.
ge-4/3/2:
- media type Gigabit Ethernet interface in slot 4 in the chassis/slot 3 of the FPC/port 2 in a PIC.
- media type Gigabit Ethernet interface on FPC 4/PIC 3/Port 2.
RIPv2 defaults to advertising Response messages using the 224.0.0.9/32 multicast group address.
Using an MPLS network to support Layer 3 VPNs.By default, the JUNOS software stores VPN routing information advertised between Provider Edge routers in the bgp.l3vpn.0 routing table.
The JUNOS software places a single next-hop entry into the forwarding table for each valid route in the routing table, by default. Can modify this behaviour by configuring a routing policy within the [edit routing-options forwarding-table] configuration hierarchy.
3 prefixes will match route-filter 192.168.0.0/16 upto /17. The upto match type stops the evaluation of the route filter and matches the routes found at the specified level. This route filter matches the 192.168.0.0/16, 192.168.0.0/17, and 192.168.128.0/17 routes.
The Routing Protocol Daemon (rpd) software process is responsible for / in charge of operating all routing protocols in the JUNOS software.
1 - 50: drive.google.com/open?id=0B-ob6L_QjGLpNUxPYTBIcVozcUE
51 - 100: drive.google.com/open?id=0B-ob6L_QjGLpakNvMzczY1pRZ00
101 - 150: drive.google.com/open?id=0B-ob6L_QjGLpbzFsTTczcWQxUUU
151 - 200: drive.google.com/open?id=0B-ob6L_QjGLpcGV4UWpKSXpiNjQ
201 - 250: drive.google.com/open?id=0B-ob6L_QjGLpaEZ2VEJFY3NIM1k
251 - 300: drive.google.com/open?id=0B-ob6L_QjGLpT29kdFRUakplUHM
301 - 350: drive.google.com/open?id=0B-ob6L_QjGLpSnBweXp4Q2pxelE
358 - 368: issuu.com/ruthgriffithfreedumps/docs/_2017-may-version_free_jn0-102_dump

Certification Levels:

Up to four levels per track:
- JNCIA - Internet Associate
  - Multiple choice exam
- JNCIS - Internet Specialist
  - Multiple choice exam
- JNCIP - Internet Professional
  - Multiple choice exam
- JNCIE - Internet Expert
  - One-day, lab-based exam

Introduction to JUNOS Software:JUNOS Software:

Robust, modular operating system
- Provides industry-leading performance and scalability
- Based on the FreeBSD UNIX operating system
Protocols
Interface Mgmt
Chassis Mgmt
SNMP
Security Services
...

Single Software Train:

A single software train for all platforms running JUNOS Software
- Eases management overhead by providing a consistent set of features that are implemented in a consistent manner

Separation of Control and Forwarding:

All platforms running JUNOS Software share a common design goal:
- Clean separation of control and forwarding functions
Control Plane: Routing Engine (RE)
JUNOS Software: Routing Table (RT) > Forwarding Table (FT) - Internal Link >
Forwarding Plane: Packet Forwarding Engine (PFE)
Frames/Packets In > FT > Frames/Packets Out
MAC Table = Bridge Table

Routing Engine:

Maintains routing and forwarding table

Packet Forwarding Engine (PFE):

Uses Layer 2 and 3 forwarding
ACL = stateless firewall filtering

Transit Traffic Progressing: Pass-throughException Traffic Processing:

Exception traffic is rate-limited

Overview of JUNOS Platforms:

M Series
T Series: Core Router
SRX Series: Firewall

Common User Interface Options:

JUNOS CLI:
- Text-based command shell
- Accessible through the console port using a terminal emulation program
  - Uses RJ-45 RS-232 @ 9600 Bps, 8/1/N (not configurable)
- Also accessible through network ports using an access management protocol such as Telnet or SSH
  - Requires network interface and related service configuration
  - Many Junos devices include a dedicated management Ethernet interface used for out-of-band access
J-Web:
- Web-based graphical user interface
- Accessible through an HTTP-enabled or HTTPS-enabled browser

Logging In:

When logging in:
- Nonroot users are placed into the CLI automatically
  login: user
  Password:
  user@host> - CLI Prompt
- The root user must start the CLI from the shell
  - Remember to exit the root shell after logging out of the CLI!
  root@router% cli - Shell Prompt

CLI Modes:

Operational mode:
- Monitor and troubleshoot the software, network connectivity, and hardware
  user@router> - The > character identifies operational mode
Configuration mode:
- Configure the device, including interfaces, protocols, user access, and system hardware properties
  [edit]
  user@router# - The # character identifies configuration mode

Context-Sensitive Help:

Type ? anywhere on the command line to get help:
user@router> ?
Possible completions:
clear Clear information in the system
configure Manipulate software configuration information
file Perform file operations
help Provide help information
...

user@router> clear ?
Possible completions:
amt Clear AMT Protocol information
arp Clear address resolution information
auto-configuration Clear auto-configuration action
bfd Clear Bidirectional Forwarding Detection information
...

PlAwAnSaI · Dec 30, 2017

A bit of JNCIE-SP:

Apply the new hostname R1:
set system host-name R1
Set the time zone location of the device:
set system time-zone Asia/Bangkok
show system uptime = Cisco show clock
show log messages = show logging
Configure firewall filters to control traffic destined to the routing engine:
set firewall policer re-policer if-exceeding bandwidth-limit 100k
set firewall policer re-policer if-exceeding burst-size-limit 25k
set firewall policer re-policer then discard
set firewall family inet filter protect-re term icmp from protocol icmp
set firewall family inet filter protect-re term icmp then policer re-policer
set firewall family inet filter protect-re term icmp then accept
show firewall filter protect-re
set firewall family inet filter protect-re term last then count dropped-packets
set firewall family inet filter protect-re term last then log
set firewall family inet filter protect-re term last then discard
show firewall filter counter dropped-packets protect-re
show firewall log
Assign IP addresses on interfaces:
show interfaces terse = show ip interface brief
set interfaces lo0 unit 0 family inet address 172.31.100.1/32
set interfaces ge-0/0/0 unit 0 family inet address 172.22.121.2/30
IGP Setup:
set interfaces ge0/0/0 unit 0 family iso
set interfaces lo0 unit 0 family iso address 49.1234.1720.3110.0001.00
set protocols isis interface ge-0/0/0.0 point-to-point
ge0/0/0.0 - Gigabit Ethernet interface on FPC 0/PIC 0/Port 0.logical interface 0
set protocols isis interface lo0.0 passive
Turn up LDP and MPLS:
set interfaces ge-0/0/0 unit 0 family mpls
set protocols mpls interface ge-0/0/0.0
set protocols ldp interface ge-0/0/0.0

PlAwAnSaI · Jan 5, 2018

JNCIA:Command and Variable Completion:

Use the Spacebar to complete commands:
user@host> show i
'i' is ambiguous.
Possible completions:
iccp Show Inter Chassis Control Protocol information
igmp Show Internet Group Management Protocol information
ike Show Internet Key Exchange information
interfaces Show interface information
ipsec Show IP Security information
ipv6 Show IP version 6 information
isis Show Intermediate System-to-Intermediate System information
Use the Tab key to complete commands and variables:
[edit policy-options]
user@router# show policy-statement this-is-my-policy
then accept;

Editing Command Lines:
EMACS-style editing sequences are supported:

Ctrl+b(ackward): Moves the cursor left one character;
Ctrl+a: Moves the cursor to the beginning of the command line;
Ctrl+f(orward): Moves the cursor right one character;
Ctrl+e(nd): Moves the cursor to the end of the command line;

A VT100 terminal type also supports the Arrow keys
Using | (Pipe):

Use | (pipe) to filter and manipulate command output:
user@host> show route | ?

CLI Operational Mode:

Execute operational mode commands to monitor and control the operation of devices running the Junos OS
- Hierarchy of commands: Less Specific > More Specific
  - Example: user@host> show ospf interfaces

Active Versus Candidate Configuration:

Batch configuration model:
- Must commit configuration changes
Active configuration:
- Current operational configuration
- Boot-up configuration
Candidate configuration:
- A working copy for configuration changes
- Initialized with the active configuration
- Becomes active configuration upon commit

Overview: The Life of a Configuration File:

Active Configuration 0 - configure > Candidate Configuration - commit > Active Configuration 0
Active Configuration 0 - rollback 1-49 > Candidate Configuration

Entering Configuration Mode:

Type configure at the operational mode prompt to enter configuration mode
Use configure exclusive to:
- exclude other users from editing the configuration
- allow only a single person to edit a configuration
- Any uncommitted changes are discarded when users exit
- > configure ?
  exclusive Obtain exclusive lock (other users cannot make changes)
Use configure private to allow users to edit private copies of candidate configuration concurrently
- When users issue a commit, their private changes merge back into the global configuration
- Any uncommitted changes are discarded when users exit
- If two users make competing changes, the first user's commit succeeds, and the second user receives a warning
  - The second user must issue a second commit to activate the change

Configuration Statement Hierarchy:[edit]
user@host# edit protocols ospf area 51 stub[edit protocols ospf area 0.0.0.51 stub]
user@host#Configuration File Is Hierarchical:

Enter CLI commands without curly brackets:
[edit system]
user@host# set services web-management http port 8080
The result is a hierarchical configuration file, complete with curly brackets:
[edit system]
user@host# show services
web-management {
http {
port 8080;
}
}

Moving Between Levels:

edit: functions like a change directory command / a CD command:
user@router# edit protocols ospf area 51
up: moves up one level in the hierarchy
up n: moves up n levels in the hierarchy
top moves to the top of the hierarchy
exit moves to the previous, higher level in the hierarchy or exits configuration mode if at the top level of the hierarchy

PlAwAnSaI · Jan 12, 2018

Adding Configuration Statements:

Use set to add configuration statements:

Removing Configuration Statements/elements on a Junos device:

Use the delete word starts the command

Test Knowledge:

Just disabled an interface with a set interface interface-name disable
Use delete interface interface-name disable to enable

Committing a Configuration:

Use commit to activate configuration changes:
[edit]
user@host# commit
commit complete
- If multiple REs are installed, use commit synchronize
Use commit check to confirm syntax:
[edit]
user@host# commit check
[edit interfaces ge-0/0/10 unit 0]
'family'
When an ethernet-switching family is configured on an interface, no other family type can be configured on the same interface.
error: configuration check-out failed
Use commit confirmed
Use commit at to schedule a future commit

Comparing Configuration File Differences:

Compare candidate and active configurations:
[edit system services]
user@host# show | compare
[edit system services]
+ ftp;
- telnet;
Compare active and historical configurations:
user@host> show configuration | compare rollback number

Loading Configuration Files:

Use the load command to load a configuration file:
Use terminal to input from the terminal capture buffer

Using the run command: Cisco do

Use run parameter must be included when executing operational mode CLI commands from within configuration mode.
- Can save time
- # run ping 1.1.1.1

J-Web Overview:

The J-Web user interface:
- Allows for easy setup and maintenance
  - Fast deployment with minimal configuration steps
  - HTTP-based - no user software required
- Offers quick verification of system status
  - The summary page shows system information and status
- Provides multiple configuration options

Dashboard Tab:

The Dashboard tab is the default view

Configure Tab:

Graphical configuration editing and viewing

Monitor Tab: Operational ModeMaintain TabTroubleshoot TabInitial Configuration ChecklistInitial Configuration:

Set the time parameters:
- Time zone
Set the management network parameters:
- Management interface address
- Static route for management traffic

Viewing the Results:

Use show configuration to view the results

The Rescue Configuration:

A rescue configuration is designed to restore basic connectivity in the event of configuration problem

Overview of Interfaces:

Interfaces connect to networks or provide a service; interface type examples

Interface Naming:

Most interfaces are named according to:
- Interface media type (ge, so, at, and so forth)
- Line card (FPC) slot number
- Interface card (PIC) slot number
  While different platforms use a different name

Logical Units:

Similar to sub-interfaces used by other vendors:
- In JUNOS Software, a logical unit is always required

Interface Properties:

Physical properties settings include:
- Data Link Layer protocol
- Link speed and duplex

Authentication Order Example:[edit]
user@host# show system authentication-order
authentication-order [ radius tacplus ];Components of Authorization:User > Class > Permission > deny-commands (operational mode) / deny-configuration (configuration mode) > allow-commands / allow-configuration > Authorized or Denied[edit system login]
root@host# show
class noc-admin {
permission [ clear network reset view ];
allow-commands "(configure private)";
deny-commands "(file)";
allow-configuration "(interface)...set system login user admin class super-user authentication ...System Logging Overview:

System logging:
- Uses UNIX Syslog-style configuration syntax

Syslog Configuration Example:[edit system syslog]
user@host# show
user * { < Emergency messages go to all logged-in users (*)
any emergency;
}
host 10.210.14.174 { < Logs to a remote hostInterpreting Syslog Messages:Traceoptions Overview:

Tracing is the JUNOS Software equivalent of debug
- Requires configuration

Traceoptions Configuration Example:

Include the traceoptions statement at the [edit protocols protocol-name] hierarchy level
- Traceoptions also available for other hierarchies

Analyzing Log and Trace Files:

Use show log file-name to display file contents:

Miscellaneous Log File Commands:

Use the monitor to perform real-time monitoring:
user@host> monitor start filename
- Use pipe (|) to filter

NTP Clock Synchronization:

Use NTP to synchronize clocking on network devices

Monitoring NTP Clock Synchronization:Archiving Configuration Files:

Configure the host to automatically back up configuration file at the [edit system archival) hierarchy

Monitoring the Archival Process:

Configuration files are queued for transmission in the /var/transfer/config directory

SNMP Overview:

SNMP facilitates communication between an SNMP agent and a network management system
- NMS and agent communication:
  - Get, GetBulk, and GetNext requests
  - Set requests
  - Notifications (traps (UDP) - SNMP v2c or informs (TCP) - SNMP v3)
MIB:
- Used to define managed objects in a network device

Example: Configuration SNMP:[edit snmp]
user@host# show
description "My JUNOS Device";
location...Monitoring Tools:

Primary monitoring tool is JUNOS CLI

Monitoring System-LevelMonitoring the Chassis:Verifying Interface Status:

Use show interface

Terse Output Example:

Use show interfaces terse to quickly

Monitoring Interfaces

Use monitor interface

Network Utilities:

Access Telnet, SSH, ...

Packet Capture Example:JUNOS Software Naming Convention:Upgrade the JUNOS Software:

Download JUNOS Software
by USB:
root@% mkdir /var/tmp/usb (any directory name can be used as a mounted directory)

Password Recovery Process:

Must have a console connection
Steps:
1. Reboot the system
  - Press the Spacebar when prompted
  - Enter boot -s to access single user mode
2. Enter recovery, when prompted to go into recovery
The IP address 10.1.1.1 belongs to Class A of IP address space.
For the interface ge-1/2/3.4, "ge" represent Gigabit Ethernet.
The Junos Genius mobile learning platform (www.junosgenius.net) helps you learn Juniper technologies and prepare for Juniper certification exams on your schedule.
11000000 10101000 10111011 11001001 is the binary equivalent of 192.168.187.201.
01100000 00000110 11100111 10010100 is the binary equivalent of 96.6.231.148.

PlAwAnSaI · Jan 15, 2018

Junos Troubleshooting Process:Before You Begin...:

First, do no harm:
- Know what is normal
- Use change control processes
- Plan for the worst
- Backup configurations and other key files
- Use non-disruptive practices
- Recreate in a lab environment
- Use maintenance windows

Know What Is Normal:

You must know what is normal for your system:
- Establish a baseline before a problem occurs:
  - Resource utilization
  - Throughput
  - Types of traffic
Confirm the symptoms:
- Always verify a problem exists before conducting potentially disruptive testing

Change-Control Processes:

Use change-control processes:
- Formalized
- Balance needs with risks
- Coordinate scheduling to minimize impact to production
- Remember, customers might have change control policies in place as well

Plan for the Worst:

Have a back-out plan

Configuration:

Working with configurations:
- Use save to make backups before modifying a configuration:
  - All or part of a configuration can be saved locally or remotely
- Use commit comment to add comments:
  - Logged comments can help when a quick rollback is needed
- Use commit confirmed to temporarily activate
  - When working with remote systems
  - When adding or modifying policies, firewalls, or other security elements

Disruptive Practices:

Be aware of disruptive practices:
- Review power-on hardware information for your equipment:
  - Hot-swappable FRUs
  - Hot-pluggable FRUs
- Review hardware redundancy options where available
- Be careful when using hidden CLI commands:
  - Hidden commands are hidden for a reason
  - Understand disruptive potential before using
- Be careful when using disruptive testing techniques

Recreate in Lab Environment:

Why start a lab reproduction effort?
- You can troubleshoot without affecting customer traffic even when your actions are potentially disruptive
- You are free to experiment with possible workarounds:
  - One possible methodology is to start with a simple setup, and add detail until the problem can be reproduced
- Lab reproduction is invaluable for some problems:
  - Protocol anomalies
  - Interoperability issues
  - Unexpected signaling behavior
- When is lab reproduction not useful?:
  - When a problem is tied to a specific device or circuit failure
  - When the complexity of the network or of the potential triggers makes reproduction unfeasible

Maintenance Windows:

Minimize impact from unforeseen issues
Do not be distracted by perceived urgency
Customers have maintenance windows too

Troubleshooting:

The ability to identify the root cause of a problem impacting the network
The ability to identify the root cause of any deviation from the normal or expected behavior of a network

A Process-Based Methodology:

Learnable
Repeatable
Can be used when dealing within any of these elements of a device running the Junos OS:
- Chassis
- Control plane
- Interfaces and circuits
- Data plane

Where To Begin?:

The scientific method:
- Characterize a problem based on observation and experience
- Hypothesize and propose an explanation for the observation
- Make a prediction based on past experiences
- Test and experiment to prove or disprove the accuracy of the prediction

Troubleshooting Steps:

Define success
Isolate the component preventing success:
- Characterize
- Hypothesize
- Predict
- Test and experiment
Identify a solution
Implement the solution

Define Success:

Quantify the problem:
- What is happening that should not be happening?
- What should be happening that is not happening?
Define a desirable endpoint:
- Be specific
- Define a recognizable endpoint
- Example: prefix a.b.c.d/z will be received from neighbor x
Be careful not to define success using preconceived solutions

Verify the Problem:

Once defined, verify the problem exists before proceeding with troubleshooting:
- Troubleshooting can be more disruptive than the problem

Isolate the Problem:

Isolate the component preventing success:
- Characterize
- Hypothesize
- Predict
- Test and experiment

Characterize the issue:

Collect information:
- System logs
- Protocol traceoptions
- Operational mode command output
Ask probing questions:
- When did this start happening?
- Has this ever worked?
- When did this last work as desired?
- What has changed?
- What troubleshooting steps and actions have been tried already?
Identify the knowns and unknowns

Hypothesize:

Suggest possible explanations for observed behavior:
- Identify all required components and dependencies
  - Use your knowledge of the technology
  - Remember the OSI
  - Use online references
  - When possible, reconstruct a working scenario
- Be complete
- Do not assume
- Do not overlook the obvious

Layered Approach:TCP - OSI:

Link - Physical, Data Link
Internet - Network
Transport - Transport
Application - Session, Presentation, Application

Revisiting Control and Data Planes:

Control Plane - Routing Engine - Common Symptoms: Missing routes
Data Plane - Ingress > PFE - FT > Egress > Common Symptoms: Physical errors, dropped packets (all or some)
Generally a good idea to begin diagnosis at the control plane

Predict and Test:

Make a prediction:
- Identify most probable explanation
  - Be complete
  - Do not assume
  - Do not overlook the obvious
- Test to prove (or disprove) your hypothesis
  - Validity, validity, validity!

Recursive Process:

"If at first you don't succeed...":
- Divide and conquer:
  - Remember the reference models
- Narrow down the possibilities:
  - Validity, validity, validity!
  - Build your own troubleshooting flowchart as you go
  - Each test should reduce the number of possible causes for the problem, regardless of pass/fail status
- Remember, more than one contributing factor could be present (particularly in new setups)

Consider the Possibilities:

Possible causes:
- Configuration
- Hardware
- Software
- Something else
Remember, more than one contributing factor could be present:
- New installations
- Some troubleshooting has already occurred
- New, previously unnoticed issues, become apparent

PlAwAnSaI · Jan 16, 2018

Configuration Errors:

Most plausible in new setup or with recent changes:
- Use show system commit to check for recent changes
- Use show | compare rollback x to display differences in rollback configurations
- Remember to check all devices that could introduce a problem
Eliminate the control plane as a possibility before focusing on the data plane
When

configuration errors are suspected, it is OK to quickly glance at

configuration, but rely on operational mode commands to isolate errors:
- The human brain sees what it expects to see

The Human Brain, a Funny Thing...:Take a moment and read the following paragraph:Arocdnicg to rsceearch it deosn’t mttaer in waht oredr the ltteers in a wrod are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the rghit pcale. The rset can be a toatl mses and you can sitll raed it wouthit pobelrm. Tihs is buseace the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe.Sample operational mode commands:

Success:
- Reachability between remote hosts using a BGP-learned route X
Operational mode commands to help isolate the problem:
- show route protocol bgp
- show route prefix
- show bgp summary
- traceroute
- show route receive-protocol bgp
- show route advertising-protocol bgp
Know which part of the configuration you must review

Hardware Errors:

Plausible in new out-of-box setups
Plausible if new problems show up in established networks
- Can be a delayed effect from improper handling
Alarms, LEDs, and log files, along with operational mode command output all prove helpful in troubleshooting hardware issues
Try moving the problem
Generally eliminate hardware as a possibility before progressing on to software

The Human Brain - Still a Funny Thing...:Count the number of Fs:The necessity of training farm hands for first class farms in the fatherly handling of farm live stock is foremost in the eyes of farm owners. Since the forefathers of the farm owners trained the farm hands for first class farms in the fatherly handling of farm livestock, the farm owners feel they should carry on with the family tradition of training farm hands of first class farmers in the fatherly handling of farm live stock because they believe it is the basis of good fundamental farm management.Parsing System Log and Other Output:

The CLI's | (pipe) function makes parsing log files and other extensive output easy:
- Several options are available:
  - Use the | (pipe) function to filter and manipulate output
    show interfaces terse | match down
  - Chain multiple options for advanced capability
    show log messages | match fpc | count fail
  - Use quotes and the pipe function as a logical "or" for example:
    show log messages | match "fpc | sfm | kernel"
- Search the messages and chassisd logs for entries like fail, kernel, core, error, and so on

Hardware Troubleshooting:

Display and View Alarms:
show chassis alarms
View LED Status and Display Craft Interface:
show chassis craft-interface
Parse and View Syslogs and Act Accordingly:
show log messages
show log chassisd
monitor start [messages | chassisd]
Display Interface and Hardware Status:
show chassis hardware
show chassis fpc
show pfe statistics error
show interfaces terse
show interfaces interface detail
show log log-file-name

Software Errors:

Plausible in new setups, with recent Junos OS upgrades, or when using new features
View version and last Junos OS change:
show version detail
show system software detail
file list /var/sw/pkg detail | match rollback
Check online resources for known issues:
- Check release notes:
  www.juniper.net/documentation/software/junos
- Search using keyword search - requires login:
  prsearch.juniper.net

Troubleshooting software problems:

First, eliminate hardware as a possible issue
Review logs for software-related entries
Verify required processes are running
Move the problem:
- Can the issue be duplicated on another system using the same version of the Junos OS?
- Can the issue be duplicated on another system using a different version of the Junos OS?
Core files and memory dumps might be required for advanced troubleshooting
Parse and View Syslogs and Act Accordingly:
show log messages
monitor start messages
Display Running Processes:
show system processes
show system connections
file show /etc/services
Determine Whether Core Files Are Present:
show system core-dumps
file list /var/tmp/*core*
file list /var/crash/*core*

One More Possibility...:

Something else:
- Outside influences
  - Changes in traffic flow
  - Changes in traffic type
  - Malicious attacks
- Works as designed
  - Misunderstanding of feature
  - Design decision

Identify a possible Solutions:

More than one way might be possible
Criteria:
- The fix does not cause other problems
- The fix survives a reboot
- The fix is well communicated
- The fix is operationally understandable
Short-term fixes are acceptable for quick restoration of service - short term
Test the solution:
- Validity, validity, validity
- Plan how to implement solution with minimum disruption

Implement the Solution:

Remember - do no harm:
- Follow change control processes
- Use maintenance windows
- Have a back-out plan
- Plan for the worst
Verify that the issue is resolved:
- Success achieved?
- Monitor solution
- Confirm the absence of other negative impacts
Document the changes

Challenging Network Issues:

Some situations can be particularly challenging:
- Packet loss
- Troubleshooting intermittent issues
- Isolating bottlenecks
Information is key:
- Use an out-of-band management network to ensure access
- Have a baseline for comparison
- Use appropriate logging options
- Look for patterns

PlAwAnSaI · Jan 17, 2018

Monitoring Memory and Storage:

Enter into configuration mode and load the device's reset configuration by issuing the load override jtnoc/lab3-start.config command.
Change the root password to lab123 by issuing the set system root-authentication plain-text-password command.
Issue the show system storage command to determine the amount of storage space available on your router.
User home directories are located at /var/home. The /var directory is mounted on a partition of ada1s1f, so it is currently being used to store user home directories.
Enter the shell as the root user by issuing the start shell user root command. Enter the password of lab123 when prompted.
Perform a read-only test to determine the integrity of the ada1 storage drive. Use the dd if=/dev/ada1 of=/dev/null bs=1m command to perform the test.
It might take between 5 or 10 minutes for the test to complete. Be patient.
- If the test results show that errors occurred, please notify your support because your router might be experiencing a hardware failure.
- 4192247808 bytes transferred in 95.412312 secs (43938227 bytes/sec)
  4192247808 bytes were read from the da0 flash drive.

Viewing Boot and System Logs:

Direct your router to reboot in 20 minutes using the request system reboot in 20 command.
Shutdown at Tue Jan 16 09:58:54 2018.
The router will reboot at 09:58.
Clear the schedule reboot using the clear system reboot command.
Direct your router to reboot immediately using the request system reboot command.
View the boot messages that occurred during the reboot process by issuing the show system boot-messages | no-more command.
The boot messages record the step-by-step process that the RE goes through to boot. No critical errors should have occurred. You may see a few instances while the system is coming online.
Use the show system uptime command to determine the router's current time and date.
Current time: 2018-01-16 09:53:28 ICT
The time and date are currently 2018-01-16 09:53:28 ICT.
View the messages log file using the show log messages to view detailed information about the PFE during the reboot that just occurred. It might be helpful to use the match modifier to ensure that only entries from today's date are shown. For example, if today's date is Jan 16th, issue the command show log messages | match "Jan 16" (you might need to use two spaces between month and day).
You might notice that matching on the date might not narrow the search down enough because thousands of entries might happen on any one day. Use the previous command but add a second pipe that matches on reboot, show log messages | match "Jan 16" | match reboot.
- Jan 16 10:12:31.570 2018 vmx1 mgd[95632]: UI_REBOOT_EVENT: System rebooted by 'lab'
  The first reboot was issued at 10:12:31.
- Jan 16 10:12:31.594 2018 vmx1 shutdown: reboot requested by lab at Tue Jan 16 10:32:31 2018
  This indicates that we requested the reboot to happen 20 minutes later.
- Jan 16 10:14:44.681 2018 vmx1 mgd[95632]: UI_REBOOT_EVENT: System rebooted by 'lab'
  The second request was issued at 10:14:44.
Using the show log messages | match chassisd | match fpc | match online command, determine the exact time that FPC 0 came back online after the reboot. (Status of FPCs are tracked by chassisd.)

Monitoring Chassis Alarms:

Determine if any alarms exist by issuing the show chassis alarms command.
2 alarms currently active
2 active alarms exist.
Enter configuration mode and change the default chassis alarm settings such that if any Ethernet ports are in the link-down state issuing set chassis alarm ethernet link-down red, the router will generate a red alarm.
delete chassis alarm ethernet link-down

Examining User Processes and Daemons:

Issue the show system users command.
USER TTY FROM LOGIN@ IDLE WHAT
lab pts/0 192.168.0.231 2:23PM - -cli (cli)
- Only the user, lab, is logged in to your device.
- Shows that user lab is logged in from the IP address of 192.168.0.231.
Forcibly remove the instance of user by issuing the request system logout user lab terminal pts/0.
Issue the show system processes extensive command.
- The chassisd daemon manages the chassis components of the router.
- The rpd daemon manages the routing function.
Issue the show route command.
- 10.85.0.12/32 *[Direct/0] 16w3d 20:52:27
  Shows that the oldest route has been in the routing table for 16w3d 20:52:27.
- If for some reason the rpd process were to restart, the Junos OS removes all routing information from the routing table. Then, the Junos OS adds any current routing information through independent and dynamic routing protocols.
Issue the restart routing command.
- All the routes in the routing table were removed and replaced with new routes, which you can see by viewing the current age of the routes in the routing table.
- Restarting rpd causes ISIS to completely reconverge. All neighbor adjacencies must re-establish, the router must repopulate the linkstate database, and calculations must run on all possible routes to determine the best path.
- You can restart only ISIS by deactivate protocols isis command in the [edit] hierarchy level, committing the configuration, activate protocols isis, and committing the configuration again.

Generating Core Files:

Issue the show system core-dumps command:
/var/crash/*core*: No such file or directory
/var/tmp/*core*: No such file or directory
No core dump files are present on your device.
Generate a core dump file using the rpd process, request system core-dump routing.
Delete the core dump from the device using the file delete command.

PlAwAnSaI · Jan 17, 2018

Configuring Routing Protocols and Routing Tables:

Issue the show route command.
- 0.0.0.0/0 *[Static/100] 00:30:48
  The default static route points to unknown destinations.
- inet.0: 81 destinations, 81 routes (81 active, 0 holddown, 0 hidden)
  inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
  The inet.0 and inet6.0 routing tables are present in the output.
To test connectivity, ping the virtual router loopback address (192.168.1.1) attached to your vmx1 device. Limit your attempts to 5 pings, ping 192.168.1.1 count 5.
5 packets transmitted, 0 packets received, 100% packet loss
The ping test was not successful.
Because the ping test failed in the previous step, issue a traceroute to the same address to determine the path taken, traceroute 192.168.1.1.
- 1 * * *
  ...
  30 * * *
  Shows that the next hop device, does not have the proper routing knowledge.
- show route 192.168.1.1
  0.0.0.0/0 *[Static/100] 00:46:35
  Our local router does not have a route to that IP and must use the default 0/0 route to attempt to reach this address.
edit protocols ospf
set area 0 interface ge-0/0/4
Issue the show ospf interface and show ospf neighbor commands.
Configure a local autonomous system:
edit routing-options
set autonomous-system 65412
Configure the bgp neighbor IP address and define the peer autonomous system number:
top edit protocols bgp group ISP-1
set neighbor 172.18.1.1
set peer-as 56155
Default Junos BGP type is EBGP.
Issue the run show bgp summary command to verify that BGP is currently up and established.
To investigate why the BGP sessions cannot reach the Established state, configure traceoptions under the BGP protocol.
[edit protocols bgp group ISP-2]
up 1 edit traceoptions
set flag open
set file bgp-trace.log
Issue the run show log bgp-trace.log command.
bgp_process_open:4060: NOTIFICATION sent to 172.18.1.1 (External AS 56155): code 2 (Open Message Error) subcode 2 (bad peer AS number), Reason: peer 172.18.1.1 (External AS 56155) claims 65001, 56155 configured
- An autonomous system mismatch exists between your device and the ISP-1 router.
- Should change the peer-as value to 65001.
Now that we know what the problem is, should remove the traceoptions configuration that recently configured.
delete traceoptions
file list /var/log/ | match trace
file delete /var/log/bgp-trace.log

Determine Current Control Plane Requirements:

Review the current system configuration using the show system command.
FTP, SSH, Telnet, and NTP traffic must be allowed by a control plane protection filter.
Review protocol configuration using the show protocols command.
Also BGP and ISIS must be allowed to maintain the current communication requirements.
Issue the show isis adjacency command to verify ISIS is working correctly.
Issue the show ntp associations command to review the current status of NTP.

Configuring Control Plane Protection:

Navigate to the [edit policy-options] and create a prefix list named bgp-neighbors. Use the apply-path feature to walk through the Junos configuration to discover all the BGP neighbors within the configuration.
set prefix-list bgp-neighbors apply-path "protocols bgp group neighbor "
Create a prefix-list named ospf to match both of the well-known multicast addresses (224.0.0.5/32 and 224.0.0.6/32) as well as the network associated with the WAN link. This solution does not scale well, but since we only have one neighbor and one interface this simple approach should work fine.
set prefix-list ospf 224.0.0.5/32
set prefix-list ospf 224.0.0.6/32
set prefix-list ospf 192.168.11.0/30
Navigate to the [edit firewall family inet filter protect-re] hierarchy. Create a term called allow-bgp and ensure that BGP's TCP messages are accepted from any BGP neighbor identified in the prefix list.
set term allow-bgp from source-prefix-list bgp-neighbors
set term allow-bgp from protocol tcp
set term allow-bgp from port bgp
set term allow-bgp then accept
Allow-ospf:
set term allow-ospf from source-address 192.168.11.0/30
set term allow-ospf from destination-prefix-list ospf
set term allow-ospf from protocol ospf
set term allow-ospf then accept
Create a term called allow-ntp and ensure that NTP's UDP messages are accepted from configured NTP server (172.25.11.254). Need to make sure that NTP related information is accepted from the local loopback address (192.168.31.1) because the system connects to the NTP daemon on the Junos device itself. NTP communication will work fine without the loopback address but will not be able to validate.
set term allow-ntp from source-address 172.25.11.254
set term allow-ntp from source-address 192.168.31.1
set term allow-ntp from protocol udp
set term allow-ntp from destination-port ntp
set term allow-ntp then accept
Allow-ftp:
set term allow-ftp from protocol tcp
set term allow-ftp from port ftp
set term allow-ftp from port ftp-data
set term allow-ftp then accept
Allow-ssh:
set term allow-ssh from protocol tcp
set term allow-ssh from port ssh
set term allow-ssh then accept
Allow-telnet:
set term allow-telnet from source-address 172.25.11.254/32
set term allow-telnet from protocol tcp
set term allow-telnet from destination-port telnet
set term allow-telnet then accept
Create a final term named block-rest to discard all other traffic. There is an implicit deny when dealing with firewall filters but we will create the term for others who might review our work.
set term block-rest then discard
Apply it as an input filter on the loopback interface. Use commit confirmed with a 5 minute interval to ensure connectivity is not impacted.
set interfaces lo0 unit 0 family inet filter input protect-re
commit confirmed 5

Performing Interface Troubleshooting:

Issue the show interfaces terse command.
Interface Admin Link Proto Local Remote
ge-0/0/1.0 down up inet 172.18.2.2/30
The logical interface for ge-0/0/1.0 is Admin down Link up. An interface unit that has been disabled will show this status.
Issue the show configuration interfaces ge-0/0/1 command to review the current ge-0/0/1 settings.
disable;
Enter into configuration mode and delete the disable command from the ge-0/0/1 interface.
delete interfaces ge-0/0/1 unit 0 disable
Issue the show interfaces ge-0/0/0 extensive command to review the interfaces properties.
Input Filters: filter-1
Review the firewall configuration:
show configuration firewall

PlAwAnSaI · Jan 18, 2018

show interface ge-0/0/4
Link-level type: Ethernet, MTU: 1514, MRU: 1522, LAN-PHY mode, Speed: 1000mbps, BPDU Error: None, Loop Detect PDU Error: None,
Logical interface ge-0/0/4.0 (Index 336) (SNMP ifIndex 530)
Flags: No-neighbor-learn, Sendbcast-pkt-to-re
- The link speed is 1000mbps.
- The physical MTU is 1514.
- The default physical MTU is 1514 in Junos.
- The No-neighbor-learn Flag indicates the interface has been configured to not learn neighbours MAC addresses.
Issue the show arp command to review the currently learned MAC addresses.
Issue the show interfaces ge-0/0/4 | match hardware command to get the current MAC address on another side.
Navigate to the [edit firewall family inet filter filter-1] hierarchy and configure a static ARP entry for the neighbour address (192.168.11.2) with the MAC address identified in the previous step.
set unit 0 family inet address 192.168.11.1/30 arp 192.168.11.2 mac 52:54:00:99:23:4a

A short IS-IS review:

Hierarchical link-state protocol
Can divide a network into areas to increase scalability
Unlike OSPF, areas are a property of the whole router, not of interfaces
An interface can belong to two levels (even simultaneously)
- Level 1: Routes traffic within an area
- Level 2: Routes traffic across areas
Maintains database synchronization by periodic check on database content
Very extensible: Built-in support for IPv6, MPLS-TE

IS-IS Terminology and Examples:

Key IS-IS features and terminology:
- No neighbours but adjacencies
- No routers but intermediate systems
- No different LSA types as in OSPF - just a single object, the LSP (link state PDU), with a very complex structure
- Separate database for Level 1 and Level 2
- The use of TLV makes it easy to extend
- Can add support for features like MPLS-TE and IPv6 simply by defining additional TLVs

The IS-IS adjacency state machine:

Neighbour discovery Bidirectional communication check:
- Down
- New
- Two-way
Link-state database synchronization:
- Initializing
Initial SPF computation:
- Up
- Rejected

Troubleshooting IS-IS:

Issue the show isis interface command to view the interfaces that have been configured for IS-IS.
Issue the show isis adjacency command to view the status of the IS-IS neighbour relationships.
Change the perspective of the CLI to that of the R2 logical system by issuing the set cli logical-system R2 command.
show route 192.168/16
show route 2001::/16
The mxC router's loopback interface route is missing.
Examine the link-state database using the show isis database command.
Link-state PDU seems to be missing.
Connect to the missing router, enter configuration mode and navigate to the [edit protocols isis] hierarchy. Enable traceoptions using a file called isis and the flag error detail options.
set traceoptions file isis
set traceoptions flag error detail
Check the logs generated because of the traceoptions settings by issuing the show log isis command.
ERROR: Possible sysid collision.
Navigate to the [edit interfaces lo0] hierarchy. Issue the show command and review the ISO address on assigned to the loopback interface.
family iso {
address 99.0001.0000.0000.7801.00;
Fix the incorrectly configured address.
rename unit 0 family iso address 99.0001.0000.0000.7801.00 to address 49.0001.0000.0000.7105.00
Exit from the logical-system:
clear cli logical-system

Troubleshooting BGP:

Use the show bgp summary command to view the BGP neighborships.
Use the show bgp neighbor 172.22.131.37 command to examine the session that is currently in an Active state.
Peer: 172.22.131.37 AS 65230 Local: 172.22.131.38 AS 65501
Error: 'Open Message Error' Sent: 6 Recv: 0
Enter into configuration mode and navigate to the [edit protocols bgp] hierarchy and enable traceoptions flagging the normal and open conditions.
set traceoptions file bgp-trace
set traceoptions flag normal
set traceoptions flag open
Review the contents of the new traceoptions file and identify the problem relating the failure to establish a neighborship with EBGP peer.
show log bgp-trace
bgp_process_open:4059: NOTIFICATION sent to 172.22.131.37 (External AS 65230): code 2 (Open Message Error) subcode 2 (bad peer AS number), Reason: peer 172.22.131.37 (External AS 65230) claims 65530, 65230 configured
The message indicates that 65230 is configured but the peer is looking for 65530.
Issue the show configuration protocols bgp command to see group_name. Correct the peer AS number that is not configured correctly for the EBGP group by changing the configured peer AS to 65530.
set group ebgp-AS65530 peer-as 65530

Routing Policy Overview:

Import and export protocol policies
- The role of policies in the flow of routing information
Neighbors - Import policy > Routing information base - Export policy > Neighbors
Routing information base - Best route selection > Forwarding Table
Forwarding table export policy:

Routing information base - Best route selection with Export policy > Forwarding Table

user@router# show routing-options
autonomous-system 65512;
forwarding-table {
export forwarding-policy;
}

Examples of RE exception traffic:
- OSPF hello packets that are sent from a remote router and are destined for the local router.
- Telnet traffic that is sent from a remote host and is destined for the local router.
- SCP traffic that is destined for router's loopback interface.
- SFTP traffic that enters one interface and is destined for a local physical interface.
- SFTP traffic that enters and exits the same interface on the local router.
If it is transit traffic, it is not exception traffic:
- SCP traffic that enters one interface and exits another interface on a local router.
- BGP updates that travel through the local router and are destined for a remote router.
- Telnet traffic that travels through the local router and is destined for a remote end host.
Receive an alarm that Junos device is experiencing problems regarding temperature. show chassis temperature-thresholds and show chassis environment commands would use to investigate this problem.

How to verify the component status, temperature, and cooling system:
kb.juniper.net/InfoCenter/index?page=content&id=KB10969

show chassis hardware command display a list of all Flexible PIC Concentrators (FPCs) and PICs installed on the router or switch chassis, including the hardware version level and serial number.

show chassis pic fpc-slot pic-slot command display status information about the PIC installed in the specified FPC and PIC slot.

PlAwAnSaI · May 2, 2018

To /var/log/ directory does the Junos OS write taceoptions files.
www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/traceoptions-edit-routing-options.html

Example: Viewing BGP Trace Files on Logical Systems:
www.juniper.net/documentation/en_US/junos/topics/example/logical-systems-file-system.html
request system halt command gracefully shuts down the Junos OS.
Rescue configurations:
- The rescue configuration must contain the minimal elements necessary to restore network connectivity.
- A rescue configuration must include a root password.
Default protocol preference values:
- Direct and local routes: 0
- OSPF internal route: 10
- OSPF AS external routes: 150
- BGP: 170
www.juniper.net/documentation/en_US/junos/topics/reference/general/routing-protocols-default-route-preference-values.html
show route protocol direct command will display only direct routes.
firewall {
filter select-telnet {
term 1 {
from {
source-address {
10.0.0.0/8;
}
}
then log;
}
term 2 {
from {
protocol tcp;
port telnet;
}
then {
syslog;
reject;
}
}
term 3 {
from {
source-address {
10.1.1.1/32;
}
protocol tcp;
port telnet;
}
then {
sample;
accept;
}
}
}
}
A Telnet session is initiated from host 10.1.1.1 will be rejected and send to the syslog server configured under system.
Traffic not matching the all three terms will be dropped by the implicit-deny rule.
The Junos OS supports three methods of user authentication: local password authentication, Remote Authentication Dial-In User Service (RADIUS), and Terminal Access Controller Access Control System Plus (TACACS+).
show interfaces command displays active alarms on interface so-0/0/0.0.
11001111 represents the binary equivalence of 207.
[edit interfaces]
user@router# show
me0 {
disable;
unit 0 {
family inet {
address 10.1.1.10/24;
}
}
}
Administrators report that they are unable to access the management interface of the EX Series device shown above. delete me0 disable command will resolve this problem.
Routing tables:
- Information learned from routing protocols are stored in the routing table.
- Devices running the Junos OS can accommodate multiple routing tables.
- inet.0 - Stores IPv4 Unicast Routes:
  - It is used for populating the forwarding table.
  - It stores information learned from routing protocols and other sources.
[edit policy-options policy-statement my-policy]
user@router# show
term 1 {
from {
route-filter 192.168.0.0/16 orlonger;
}
then accept;
}
Example networks match the policy: 192.168.0.0/16, 192.168.65.0/24, and 192.168.24.89/32.
After editing to device's configuration, commit command must enter to activate the configuration changes.
edit interfaces command use to navigate to [edit interfaces].
user@router# run show interfaces terse
Interface Admin Link Proto Local
fe-0/0/0 up up
fe-0/0/0.0 up up inet 10.0.39.2/24
iso
mpls
fe-0/0/1 up up
fe-0/0/1.0 up up inet 10.0.18.2/24
fe-0/0/1.5 down up inet 10.0.19.2/24
An administrator is unable to ping any address on the 10.0.19.0/24 subnet. To identify the problem, the administrator uses the command shown above. Issue the command delete interfaces fe-0/0/1.5 disable step should be taken to solve the problem.

PlAwAnSaI · May 7, 2018

[edit system syslog]
user@router# show
host 152.170.10.10 {
any warning;
}
file changes {
change-log info;
}
- Any warning message will be sent to the 152.170.10.10 host.
- Changes to the configuration will be logged.
If you want to back up device's current configuration to an archive site, can configure the router or switch to transfer its currently active configuration by FTP or secure copy (SCP) periodically or after each commit.
www.juniper.net/documentation/en_US/junos/topics/task/configuration/junos-software-system-management-router-configuration-archiving.html#jd0e43
The packet is dropped from the network and The system sends an ICMP message back to the source of the packet when using the reject parameter as the next-hop value for a static route.
set routing-options static route 10.1.1.1/32 reject
www.juniper.net/documentation/en_US/junos/topics/reference/general/firewall-filter-actions-terminating.html
[edit policy-options] is hierarchy are routing policies defined.
set policy-options policy-statement term from protocol static
set policy-options policy-statement term then accept
set protocol ospf export command will apply a policy to redistribute static routes into OSPF.
show route forwarding-table command will display the contents of the forwarding table.
Commands allow to return to a previous version of software on the device:
- request system software add
- request system software rollback
Cisco automatically resolves recursive routes. Those which next hop is not under directly connected interface. But Junos don't behave this way, so have to configure the resolve option.
For example, Cisco configures using recursive routes:
interface fast 0/0
ip add 3.3.3.1 255.255.255.0
ip route 1.1.1.0 255.255.255.0 2.2.2.2
ip route 2.2.2.0 255.255.255.0 3.3.3.3
Usually, the second static route is some dynamic learned route, this has no sense to configure two recursive statics.

Under Junos this configure will be something like this:
set interface fe-0/0/0 unit 0 family inet address 3.3.3.1/24
set routing-options static route 1.1.1.0/24 next-hop 2.2.2.2 resolve
set routing-options static route 2.2.2.0/24 next-hop 3.3.3.3
If you don't use the resolve option, the first static router will be hidden because this has no an active next hop.
Dynamic routing can provide increased network availability when compared to static routing is an advantage of dynamic routing.
110 represents the decimal equivalence of 01101110.
Must segment internal /24 network into a minimum of 12 subnets, each containing a minimum of 12 hosts. /28 network mask use.
[edit snmp]
user@router# show
community CommunityA {
authorization read-only;
clients {
192.168.1.0/28;
}
}
trap-group groupA {
categories {
link;
}
targets {
192.168.100.1;
192.168.200.1;
}
}
- It specifies where to send traps is the purpose of the targets section of the configuration.
user@router> show route protocol static

inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.128/27 *[Static/5] 00:02:44
> to 10.20.106.10 via ge-0/0/5.0
192.168.1.128/28 *[Static/5] 00:01:00
> to 10.85.229.26 via ge-0/0/0.0
192.168.1.144/29 *[Static/5] 00:01:00
> to 10.85.229.26 via ge-0/0/0.0
192.168.1.192/27 *[Static/5] 00:01:00
> to 10.18.1.1 via ge-0/0/1.0
Given the routing entries are shown above, 10.20.106.10 next-hop IP address will be used for the destination IP address 192.168.1.159.
Issue the show chassis routing-engine command to view the details of your router's RE.
- The temperature of the Routing Engine's CPU:
  CPU temperature 37 degrees C / 98 degrees F
- DRAM 16330 MB (16384 MB installed)
  There is 16384 MB of DRAM installed.
- 15 min CPU utilization:
  Idle 99 percent
  The RE CPU idle utilization in the last 15 minutes is 99%
- Uptime 124 days, 1 hour, 12 minutes, 55 seconds
  The RE has been powered up for 124 days, 1 hour, 12 minutes, 55 seconds.
231 represents the decimal equivalence of 11100111.
> help ?
Possible completions:
Execute this command
apropos Find help information about a topic
reference Reference material
syslog System log error messages
tip Tip for the day
topic Help for high-level topics
| Pipe through a command
# load factory-default = Cisco writ era/commit rep: used to restore a Junos device to its default state.
On the 192.168.1.24/29 network, the minimum host address is 192.168.1.25, and the maximum host address is 192.168.1.30.
When troubleshooting ATM, ping atm vci 0.100 interface at-0/1/0 end-to-end command would allow testing reachability from one side of an ATM cloud to the other.
www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/ping-atm.html

PlAwAnSaI · May 14, 2018

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.23.10.0/24 *[Direct/0] 00:01:19
> via ge-0/0/6.0
172.23.10.100/32 *[Local/0] 00:01:19
Local via ge-0/0/6.0
172.23.12.0/24 *[Static/5] 00:00:48
> to 172.23.10.1 via ge-0/0/6.0
172.23.15.0/24 *[Static/5] 00:00:48
> to 172.23.10.1 via ge-0/0/6.0
Users are unable to access resources in the 172.23.14.0/24 subnet. Configure a default static route or Configure a static route to 172.23.14.0/24 actions would solve this problem.
route-filter 192.168.0.0/16 longer;
- 192.168.0.0/17
- ...
- 192.168.255.255/32
There is a network containing 120 routers. Must establish and maintain connectivity between the loopback interfaces of all routers. Because of the critical services using the network, need redundancy and fast failover. OSPF routing protocol should use in this scenario.
Broadcast domains consist of devices that reside on the same VLAN and reachable by frames addressed to the Layer 2 broadcast address.
If a switch is used, the Ethernet collision domain is limited to each device and the switch.
[edit interfaces ge-0/0/0 unit 0]
user@router# show
family inet {
address 10.85.229.25/30;
}

[edit interfaces ge-0/0/0 unit 0]
user@router# set family inet address 10.84.229.25/30 > add an additional address

[edit interfaces ge-0/0/0 unit 0]
user@router# show
family inet {
address 10.85.229.25/30;
address 10.84.229.25/30;
}
Example: Controlling Static Routes in Routing and Forwarding Tables:
www.juniper.net/documentation/en_US/junos12.3/topics/topic-map/policy-static-route-control.html
Firewall Filter IPv6:
[edit]
user@router# show firewall
family inet6 {
filter count-no-header {
term 1 {
from {
next-header no-next-header;
}
then {
count count-no-header;
accept;
}
}
}
}

[edit]
user@router# show interfaces ge-0/0/0
unit 0 {
family inet {
address 10.10.10.3/24;
}
family inet6 {
filter {
input count-no-header;
}
address 2001::1/64;
}
}
set interfaces ge-0/0/0 unit 0 family inet mtu 1200 command will configure the maximum transmission unit size of an interface.
user@router# show | display set | save /var/tmp/current.conf command uses to save the current candidate configuration in the set format to permanent storage media.
Have been allocated a /22 network. How many usable hosts are available?
- /22 = 4 Class C
- 1 Class C = 256 IP addresses
- /22 = 1,024 IP addresses
- Usable = 1,022 hosts
On an Ethernet connection, a duplex mismatch is a condition where two connected devices operate in different duplex modes, that is, one operates in half duplex while the other one operates in full duplex.
The primary address on an interface is the address that is used by default as the local address for broadcast and multicast packets sourced locally and sent out the interface. For example, the local address in the packets sent by a ping interface so-0/0/0.0 255.255.255.255 command is the primary address on interface so-0/0/0.0. The primary address flag also can be useful for selecting the local address used for packets sent out unnumbered interfaces when multiple non-127 addresses are configured on the loopback interface, lo0. By default, the primary address on an interface is selected as the numerically lowest local address configured on the interface.
www.juniper.net/documentation/en_US/junos/topics/task/configuration/interfaces-configuring-default-primary-and-preferred-addresses-and-interfaces.html
> ping interface ge-0/0/1.0 255.255.255.255
PING 255.255.255.255 (255.255.255.255): 56 data bytes
64 bytes from 10.0.0.6: icmp_seq=0 ttl=64 time=0.693 ms
networkology.net/2012/03/18/assigning-a-secondary-ip-address-to-an-interface-in-junos

Juniper

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator

Administrator