Juniper usefull command reference
| MAC Limiting | |
| configuring accept mac | set interfaces ge-0/0/0.0 accept-source-mac mac-address 00:11:22:33:44:55:66:77 |
| configuring mac limit under switch-optios | set switch-options interface ge-0/0/0.0 interface-mac-limit 2 packet-action [log drop shutdown drop-and-log] |
| configuring mac limit under vlans | set vlans VLAN_3 switch-options interface-mac-limit 10 packet-action drop-and-log |
| configuring mac move limit (in a second) | set vlans VLAN_10 switch-options mac-move-limit 1 packet-action shutdown |
| manually restore | clear ethernet-switching recovery-timeout |
| manually restore for an interface | clear ethernet-switching recovery-timeout interface ge-0/0/0 |
| automatically restore | set interfaces ge-0/0/0.0 family ethernet-switching recovery-timeout 30 |
| showing logs | show log messages | match L2ALD |
| showing flags | show ethernet-switching interface ge-0/0/0 |
| Persistent MAC Learning | |
| configuring persistent mac learning | set switch-options interface ge-0/0/0.0 persistent-learining |
| showing persistent P flag | show ethernet-switching table |
| clearing learned persistent macs | clear ethernet-switching table persistent-learning |
| DHCP Snooping | |
| configuring DHCP snooping | set vlans VLAN_10 forwarding-options dhcp-security group TRUSTED interface ge-0/0/0 |
| allowing DHCP server traffic such as DHCP offer, ack, nak | set vlans VLAN_10 forwarding-options dhcp-security group TRUSTED overrides trusted |
| set vlans VLAN_10 forwarding-options dhcp-security group UNTRUSTED interface ge-0/0/1 | |
| set vlans VLAN_10 forwarding-options dhcp-security group UNTRUSTED interface ge-0/0/2 | |
| specifiying dhcp snooping db | set system processes dhcp-service dhcp-snooping file file_name |
| showing binding table | show dhcp-security binding |
| clearing binding | clear dhcp-security binding [ all vlan interface ip-address ] |
| adding static entries | set vlans VLAN_10 forwarding-options dhcp-security group UNTRUSTED interface ge-0/0/1 static-ip 10.10.20.20 mac 11:11:22:22:33:33 |
| Dynamic ARP Inspeciton | |
| configuring DAI | set vlans VLAN_10 forwarding-options dhcp-security arp-inspection |
| showing binding table | show dhcp-security binding |
| showing arp inspection statistics | show dhcp-security arp inspection statistics |
| showing logs | show log messages | match DAI |
| IP Source Guard | |
| configuring ip source guard | set vlans VLAN_10 forwarding-options dhcp-security ip-source-guard |
| showing binding table | show dhcp-security binding |
| MACsec | |
| configuring macsec | edit security macsec connectivity-association outdoor_sw |
| set security-mode static-cak | |
| set pre-shared-key ckn hex_1 | |
| set pre-shared-key cak hex_2 | |
| up set interfaces uplink_to_outdoor_sw connectivity-association outdoor_sw | |
| show macsec connections | show security macsec connections |
| Ethernet-switching | |
| Configure Global MAC Table Aging Time | set protocols l2-learning global-mac-table-aging-time seconds |
| showing forwarding table | show route forwarding-table family ethernet-switching |
| insert static mac entry | set vlans data switch-options interface ge-0/0/7.0 static-mac 00:11:22:33:44:55:66 |
| ??? | restart interface-control |
| Spannig tree | |
| BPDU protection when STP enabled | set protocols rstp interface ge-0/0/7.0 edge set protocols rstp bpdu-block-on-edge |
| BPDU protection when STP not enabled | set protocols layer2-control bpdu-block interface ge-0/0/07 |
| Identify if BPDU error | show interfaces ge-0/0/7 | match “BPDU error” |
| clearing BPDU error | clear error bpdu interface ge-0/0/7.0 |
| Automatically disable bpdu block timeout | set protocols layer2-protocol bpdu-block disable-timeout |
| Enabling Loop Protection (enable on all P2P links for non root bridge devices) | set protocols rstp interface ge-0/0/0.0 bpdu-timeout-action block set protocols rstp interface ge-0/0/1.0 bpdu-timeout-action block |
| showing loop on interfaces | show spanning-tree interface | match “loop” |
| showing loop on logs | show log messages | match “loop|protect” |
| Enabling Root Protection (enable on all P2P links for root bridge device and backup root bridge) | set protocols rstp interface ge-0/0/0.0 no-root-port set protocols rstp interface ge-0/0/1.0 no-root-port |
| showing root protection on interfaces | show spanning-tree interface | match “root” |
| Storm Control | |
| Limiting total broadcast, multicast and unknown unicast traffic in % 80 for an interface, drops the remains | set interfaces ge-0/0/7.0 family ethernet-switching storm-control default set forwarding-options storm-control-profiles default all |
| Changing the default behavior to shutdown , when the traffic exceeds. | set forwarding-options storm-control-profiles default action-shutdown |
| If an interface is shutdown due to storm control we need to re-enable it | clear ethernet-switching recovery-timeout |
| Or, we can configure automatic recovery timeout. | set interfaces ge-0/0/7.0 family ethernet-swtiching recovery-timeout [ 10 – 3600 seconds ] |
| showing violation | show ethernet-switching interface ge-0/0/7 | match SCTL |
| showing it in the log messages | show log messages | match L2ALD_ST_CTL |
| Firewall Filters | |
| Creating ethernet-switching firewall filter | edit firewall family ethernet-switching filter MY_FILTER set term T1 from destination-mac-address 01:80:c2:00:00:00 set term T1 then discard set term T2 then discard |
| Applying to an interface | set interface ge-0/0/07.0 family input filter MY_FILTER |
| Applying to a VLAN | set vlan VLAN_X forwarding-options filter input MY_FILTER |
| Virtual Chassis | |
| access to specific member | request session member member-id |
| Changing member ID | request virtual-chassis renumber member-id old-id new-member-id new-id |
| manual software upgrade | request system software add member member-id |
| auto software upgrade | set virtual-chassis auto-sw-upgrade package-name /var/tmp/jinstall-abc.tgz |
| request virtual-chassis vc-port set pic-slot pic-id port port-id | |
| show virtual-chassis vc-port | |
| when we have 2 switch, it is recommended | set virtual-chassis no-split-detection |
| NSSU upgrade | request system software nonstop-upgrade /var/tmp/junos.tgz |
| NSSU upgrade with mixed platforms | request system software nonstop-upgrade set [ /var/tmp/junos1.tgz /var/tmp/junos2.tgz] |
| GRES | |
| configuring GRES | set chassis redundancy graceful-switchover |
| this is available only on the backup device | show system switchover |
| manually change master and backup state | request chassis routing-engine master [acquire release switch] |
| NSR | |
| Configuring NSR( first enable GRES) | set routing-options nonstop-routing |
| set system commit synchronize | |
| on the master device | show task replication |
| on the backup device | show ospf neighbor show bgp summary show route |
| NSB | |
| Configuring NSB (first enable GRES) | set protocols layer2-control nonstop-bridging |
| verifying NSB | show spanning-tree bridge |