Juniper usefull command reference
MAC Limiting | |
configuring accept mac | set interfaces ge-0/0/0.0 accept-source-mac mac-address 00:11:22:33:44:55:66:77 |
configuring mac limit under switch-optios | set switch-options interface ge-0/0/0.0 interface-mac-limit 2 packet-action [log drop shutdown drop-and-log] |
configuring mac limit under vlans | set vlans VLAN_3 switch-options interface-mac-limit 10 packet-action drop-and-log |
configuring mac move limit (in a second) | set vlans VLAN_10 switch-options mac-move-limit 1 packet-action shutdown |
manually restore | clear ethernet-switching recovery-timeout |
manually restore for an interface | clear ethernet-switching recovery-timeout interface ge-0/0/0 |
automatically restore | set interfaces ge-0/0/0.0 family ethernet-switching recovery-timeout 30 |
showing logs | show log messages | match L2ALD |
showing flags | show ethernet-switching interface ge-0/0/0 |
Persistent MAC Learning | |
configuring persistent mac learning | set switch-options interface ge-0/0/0.0 persistent-learining |
showing persistent P flag | show ethernet-switching table |
clearing learned persistent macs | clear ethernet-switching table persistent-learning |
DHCP Snooping | |
configuring DHCP snooping | set vlans VLAN_10 forwarding-options dhcp-security group TRUSTED interface ge-0/0/0 |
allowing DHCP server traffic such as DHCP offer, ack, nak | set vlans VLAN_10 forwarding-options dhcp-security group TRUSTED overrides trusted |
set vlans VLAN_10 forwarding-options dhcp-security group UNTRUSTED interface ge-0/0/1 | |
set vlans VLAN_10 forwarding-options dhcp-security group UNTRUSTED interface ge-0/0/2 | |
specifiying dhcp snooping db | set system processes dhcp-service dhcp-snooping file file_name |
showing binding table | show dhcp-security binding |
clearing binding | clear dhcp-security binding [ all vlan interface ip-address ] |
adding static entries | set vlans VLAN_10 forwarding-options dhcp-security group UNTRUSTED interface ge-0/0/1 static-ip 10.10.20.20 mac 11:11:22:22:33:33 |
Dynamic ARP Inspeciton | |
configuring DAI | set vlans VLAN_10 forwarding-options dhcp-security arp-inspection |
showing binding table | show dhcp-security binding |
showing arp inspection statistics | show dhcp-security arp inspection statistics |
showing logs | show log messages | match DAI |
IP Source Guard | |
configuring ip source guard | set vlans VLAN_10 forwarding-options dhcp-security ip-source-guard |
showing binding table | show dhcp-security binding |
MACsec | |
configuring macsec | edit security macsec connectivity-association outdoor_sw |
set security-mode static-cak | |
set pre-shared-key ckn hex_1 | |
set pre-shared-key cak hex_2 | |
up set interfaces uplink_to_outdoor_sw connectivity-association outdoor_sw | |
show macsec connections | show security macsec connections |
Ethernet-switching | |
Configure Global MAC Table Aging Time | set protocols l2-learning global-mac-table-aging-time seconds |
showing forwarding table | show route forwarding-table family ethernet-switching |
insert static mac entry | set vlans data switch-options interface ge-0/0/7.0 static-mac 00:11:22:33:44:55:66 |
??? | restart interface-control |
Spannig tree | |
BPDU protection when STP enabled | set protocols rstp interface ge-0/0/7.0 edge set protocols rstp bpdu-block-on-edge |
BPDU protection when STP not enabled | set protocols layer2-control bpdu-block interface ge-0/0/07 |
Identify if BPDU error | show interfaces ge-0/0/7 | match “BPDU error” |
clearing BPDU error | clear error bpdu interface ge-0/0/7.0 |
Automatically disable bpdu block timeout | set protocols layer2-protocol bpdu-block disable-timeout |
Enabling Loop Protection (enable on all P2P links for non root bridge devices) | set protocols rstp interface ge-0/0/0.0 bpdu-timeout-action block set protocols rstp interface ge-0/0/1.0 bpdu-timeout-action block |
showing loop on interfaces | show spanning-tree interface | match “loop” |
showing loop on logs | show log messages | match “loop|protect” |
Enabling Root Protection (enable on all P2P links for root bridge device and backup root bridge) | set protocols rstp interface ge-0/0/0.0 no-root-port set protocols rstp interface ge-0/0/1.0 no-root-port |
showing root protection on interfaces | show spanning-tree interface | match “root” |
Storm Control | |
Limiting total broadcast, multicast and unknown unicast traffic in % 80 for an interface, drops the remains | set interfaces ge-0/0/7.0 family ethernet-switching storm-control default set forwarding-options storm-control-profiles default all |
Changing the default behavior to shutdown , when the traffic exceeds. | set forwarding-options storm-control-profiles default action-shutdown |
If an interface is shutdown due to storm control we need to re-enable it | clear ethernet-switching recovery-timeout |
Or, we can configure automatic recovery timeout. | set interfaces ge-0/0/7.0 family ethernet-swtiching recovery-timeout [ 10 – 3600 seconds ] |
showing violation | show ethernet-switching interface ge-0/0/7 | match SCTL |
showing it in the log messages | show log messages | match L2ALD_ST_CTL |
Firewall Filters | |
Creating ethernet-switching firewall filter | edit firewall family ethernet-switching filter MY_FILTER set term T1 from destination-mac-address 01:80:c2:00:00:00 set term T1 then discard set term T2 then discard |
Applying to an interface | set interface ge-0/0/07.0 family input filter MY_FILTER |
Applying to a VLAN | set vlan VLAN_X forwarding-options filter input MY_FILTER |
Virtual Chassis | |
access to specific member | request session member member-id |
Changing member ID | request virtual-chassis renumber member-id old-id new-member-id new-id |
manual software upgrade | request system software add member member-id |
auto software upgrade | set virtual-chassis auto-sw-upgrade package-name /var/tmp/jinstall-abc.tgz |
request virtual-chassis vc-port set pic-slot pic-id port port-id | |
show virtual-chassis vc-port | |
when we have 2 switch, it is recommended | set virtual-chassis no-split-detection |
NSSU upgrade | request system software nonstop-upgrade /var/tmp/junos.tgz |
NSSU upgrade with mixed platforms | request system software nonstop-upgrade set [ /var/tmp/junos1.tgz /var/tmp/junos2.tgz] |
GRES | |
configuring GRES | set chassis redundancy graceful-switchover |
this is available only on the backup device | show system switchover |
manually change master and backup state | request chassis routing-engine master [acquire release switch] |
NSR | |
Configuring NSR( first enable GRES) | set routing-options nonstop-routing |
set system commit synchronize | |
on the master device | show task replication |
on the backup device | show ospf neighbor show bgp summary show route |
NSB | |
Configuring NSB (first enable GRES) | set protocols layer2-control nonstop-bridging |
verifying NSB | show spanning-tree bridge |