Home Explore Help
Register Sign In
jeremy
/
HON95-wiki
mirror of https://github.com/HON95/wiki
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Stuff

Håvard Ose Nordstrand 1 year ago
parent
5539182e4e
commit
74a4bd14a5
3 changed files with 53 additions and 33 deletions
Split View Show Diff Stats
  1. 11 13
      networking/juniper-ex.md
  2. 12 19
      networking/juniper-junos.md
  3. 30 1
      networking/juniper-srx.md

+ 11 - 13
networking/juniper-ex.md
View File 

@@ -103,6 +103,8 @@ breadcrumbs:
 
 
 ## Initial Setup
 
 
+Example for setting up base system for a simple L2 switch.
 
+
 
 1. Connect to the switch using serial:
 
     - RS-232 w/ RJ45, baud 9600, 8 data bits, no parity, 1 stop bits, no flow control.
 
 1. Login:
 
@@ -130,13 +132,10 @@ breadcrumbs:
 
 1. Setup SSH:
 
     - Enable server: `set system services ssh`
 
     - Disable root login from SSH: `set system services ssh root-login deny`
 
-1. Set loopback addresses:
 
-    1. `set interfaces lo0.0 family inet address 127.0.0.1/32`
 
-    1. `set interfaces lo0.0 family inet6 address ::1/128`
 
 1. Set DNS servers:
 
     - `set system name-server <addr>` (once for each address)
 
 1. Set time:
 
-    1. (Optional) Set time locally: `set date <YYYYMMDDhhmm.ss>`
 
+    1. (Optional) Set time locally: `run set date <YYYYMMDDhhmm.ss>`
 
     1. Set server to use while booting (forces initial time): `set system ntp boot-server <address>`
 
     1. Set server to use periodically (for tiny, incremental changes): `set system ntp server <address>`
 
     1. Set time zone: `set system time-zone Europe/Oslo` (example)
 
@@ -144,8 +143,6 @@ breadcrumbs:
 
     1. (Note) After committing, use `set date ntp` to force it to update. This may be required if the delta is too large and the NTP client refuses to update.
 
 1. Delete default interfaces configs:
 
     - `wildcard range delete interface ge-0/0/[0-47]` (example, repeat for all FPCs/PICs)
 
-1. Disable unused interfaces:
 
-    - `wildcard range set interface ge-0/0/[0-47] disable` (example, repeat for all FPCs/PICs)
 
 1. Disable dedicated management port and alarm:
 
     1. Disable: `set int me0 disable`
 
     1. Delete logical interface: `delete int me0.0`
 
@@ -155,11 +152,11 @@ breadcrumbs:
 
     1. Disable logical interface: `set int vlan.0 disable`
 
 1. Create VLANs:
 
     - `set vlans <name> vlan-id <VID>`
 
-1. Setup interface-ranges (apply config to multiple configured interfaces):
 
+1. (Optional) Setup interface-ranges (apply config to multiple configured interfaces):
 
     - Declare range: `edit interfaces interface-range <name>`
 
     - Add member ports: `member-range <begin-if> to <end-if>`
 
     - Configure it as a normal interface, which will be applied to all members.
 
-1. Setup LACP:
 
+1. (Optional) Setup LACP:
 
     1. (Info) Make sure you allocate enough LAG interfaces and that the interface numbers are below some arbitrary power-of-2-limit for the device model. Maybe the CLI auto-complete shows a hint toward the max.
 
     1. Set number of available LAG interfaces: `set chassis aggregated-devices ethernet device-count <0-64>`
 
     1. Delete old configs for member interface: `wildcard range delete interfaces ge-0/0/[0-1]` (example)
 
@@ -172,7 +169,7 @@ breadcrumbs:
 
     1. (Optional) Set minimum links: `aggregated-ether-options minimum-links 1`
 
     1. Enter logical unit: `edit unit 0`
 
     1. Setup VLAN/address/etc. (see other examples).
 
-1. Setup VLAN interfaces:
 
+1. (Optional) Setup VLAN interfaces:
 
     1. Setup trunk ports:
 
         1. (Note) `vlan members` supports both numbers and names. Use the `[VLAN1 VLAN2 <...>]` syntax to specify multiple VLANs.
 
         1. (Note) Instead of specifying which VLANs to add, specify `vlan members all` and `vlan except <excluded-VLANs>`.
 
@@ -184,22 +181,22 @@ breadcrumbs:
 
     1. Setup access ports:
 
         1. Enter unit 0 and `family ethernet-switching` of the physical/LACP interface.
 
         1. Set access VLAN: `set vlan members <VLAN-name>`
 
-1. Setup L3 interfaces:
 
+1. (Optional) Setup L3 interfaces:
 
     1. (VLAN) Set L3-interface: `set vlans <name> l3-interface vlan.<VID>`
 
     1. Enter unit 0 of physical/LACP interface or `vlan.<VID>` for VLAN interfaces.
 
     1. Set IPv4 address: `set family inet address <address>/<prefix-length>`
 
     1. Set IPv6 address: `set family inet6 address <address>/<prefix-length>`
 
-1. Setup static IP routes:
 
+1. (Optional) Setup static IP routes:
 
     1. IPv4 default gateway: `set routing-options rib inet.0 static route 0.0.0.0/0 next-hop <next-hop>`
 
     1. IPv6 default gateway: `set routing-options rib inet6.0 static route ::/0 next-hop <next-hop>`
 
-1. Disable/enable Ethernet flow control:
 
+1. (Optional) Disable/enable Ethernet flow control:
 
     - (Note) Junos uses the symmetric/bidirectional PAUSE variant of flow control.
 
     - (Note) This simple PAUSE variant does not take traffic classes (for QoS) into account and will pause _all_ traffic for a short period (no random early detection (RED)) if the receiver detects that it's running out of buffer space, but it will prevent dropping packets _within_ the flow control-enabled section of the L2 network. Enabling it or disabling it boils down to if you prefer to pause (all) traffic or drop (some) traffic during congestion. As a guideline, keep it disabled generally (and use QoS or more sophisticated variants instead), but use it e.g. for dedicated iSCSI networks (which handle delays better than drops). Note that Ethernet and IP don't require guaranteed packet delivery.
 
     - (Note) It _may_ be enabled by default, so you should probably enable/disable it explicitly (the docs aren't consistent with my observations).
 
     - (Note) Simple/PAUSE flow control (`flow-control`) is mutually exclusive with priority-based flow control (PFC) and asymmetric flow control (`configured-flow-control`).
 
     - Disable on Ethernet interface (explicit): `set interface <if> [aggregated-]ether-options no-flow-control`
 
     - Enable (explicit): `... flow-control`
 
-1. Enable EEE (Energy-Efficient Ethernet, IEEE 802.3az):
 
+1. (Optional) Enable EEE (Energy-Efficient Ethernet, IEEE 802.3az):
 
     - (Note) For reducing power consumption during idle periods. Supported on RJ45 copper ports.
 
     - (Note) There generally is no reason to not enable this on all ports, however, there may be certain devices or protocols which don't play nice with EEE (due to poor implementations).
 
     - Enable on RJ45 Ethernet interface: `set interface <if> ether-options ieee-802-3az-eee`
 
@@ -220,6 +217,7 @@ breadcrumbs:
 
 1. Configure sFlow:
 
     - **TODO**
 
 1. Commit configuration: `commit [confirmed]`
 
+1. Exit config mode: `exit`
 
 1. Backup config to rescue config: `request system configuration rescue save`
 
 
 ## Commands

+ 12 - 19
networking/juniper-junos.md
View File 

@@ -15,7 +15,7 @@ breadcrumbs:
 
 
 ## Commands
 
 
-**TODO** Cleanup.
 
+**TODO** Cleanup. Combine with SRX- and QFX-setup?
 
 
 ### Usage
 
 
@@ -164,6 +164,11 @@ breadcrumbs:
 
     - Supports XML scripting. And Python for newer devices.
 
     - Supports commit scripts to e.g. require descriptions on interfaces.
 
 
+### Port Mirroring (SPAN)
 
+
 
+- SRX: [How to do port mirroring on J-series and SRX branch devices](https://supportportal.juniper.net/s/article/How-to-do-port-mirroring-on-J-series-and-SRX-branch-devices?language=en_US)
 
+- EX: [Configuring Port Mirroring and Analyzers](https://www.juniper.net/documentation/us/en/software/junos/network-mgmt/topics/topic-map/port-mirroring-and-analyzers-configuring.html#id-configuring-port-mirroring-to-analyze-traffic-cli-procedure#id-configuring-port-mirroring-to-analyze-traffic-cli-procedure)
 
+
 
 ### Booting
 
 
 The devices have two partitions; the primary and the backup.
 
@@ -275,7 +280,7 @@ Note: USB3 drives may not work properly. Use USB2 drives.
 
 
 1. (Info) For virtualized boxes like EX4600 and QFX5100, skip the `request system snapshot` parts as these boxes are built differently wrt. Junos.
 
 1. Cleanup old files: `request system storage cleanup`
 
-1. Make sure the alternate partition contains a working copy of the current version: See [Validate the Upgrade](#validate-the-upgrade).
 
+1. Make sure the alternate partition contains a working copy of the current version: See [Validate the Partitions](#validate-the-partitions).
 
 
 #### ISSU and NSSU
 
 
@@ -309,7 +314,7 @@ This should work in most cases and is the most streamlined version, but may not
 
     - `reboot` reboots the device, so the upgrade can begin when booting.
 
     - If it complains about certificate problems, consider disabling verification using `no-validate`.
 
     - It may produce some insignificant errors in the process (commands not found etc.).
 
-1. See [Validate the Upgrade](#validate-the-upgrade).
 
+1. See [Validate the Partitions](#validate-the-partitions).
 
 
 #### From the Loader
 
 
@@ -320,9 +325,9 @@ If the normal method did not work, try this instead.
 
 1. Reboot the device and press space at the right time to enter the loader.
 
     - The message to wait for should look like this: `Hit [Enter] to boot immediately, or space bar for command prompt.`
 
 1. Format and flash: `install --format file:///jinstall-whatever.tgz` (where you placed it previously)
 
-1. See [Validate the Upgrade](#validate-the-upgrade).
 
+1. See [Validate the Partitions](#validate-the-partitions).
 
 
-#### Validate the Upgrade
 
+#### Validate the Partitions
 
 
 1. Log into the CLI.
 
 1. Verify that the system is booted from the active partition of the internal media: `show system storage partitions` (should show `Currently booted from: active`)
 
@@ -330,19 +335,7 @@ If the normal method did not work, try this instead.
 
 1. Copy to the alternate root partition (may take several minutes): `request system snapshot slice alternate`
 
 1. Verify that the primary and backup partitions have the same Junos version: `show system snapshot media internal`
 
     - If the command fails, wait a bit and try again. The copy may still be happening in the background.
 
-
 
-### Copy the Active Root Partition
 
-
 
-This procedure clones the active partition to the alternate partition.
 
-This is also how you would clone to and boot from a USB device, but with `media external` instead of both `media internal` and `slice alternate`.
 
-
 
-1. Clone the active partition to the alternate partition: `request system snapshot slice alternate`
 
-    - This may not be completely finished when the command returns. If the below commands fail, wait and try again.
 
-1. Validate it:
 
-    - `show system storage partitions`
 
-    - `show system snapshot media internal`
 
-
 
-To boot to the alternate partition, use `request system reboot slice alternate media internal`.
 
+1. (Info) To boot from the alternative partition: `request system reboot slice alternate media internal`
 
 
 ### Fix a Corrupt Root Partition
 
 
@@ -350,7 +343,7 @@ If one of the root partitions get corrupted (e.g. due to sudden power loss),
 
 the device will boot to the alternate root partition.
 
 This can be fixed by cloning the new active partition to the alternate, corrupt partition.
 
 
-See [Copy the Active Root Partition](#copy-the-active-root-partition) or [[EX] Switch boots from backup root partition after file system corruption occurred on the primary root partition (Juniper)](https://kb.juniper.net/InfoCenter/index?page=content&id=KB23180).
 
+See [Validate the Partitions](#validate-the-partitions) or [[EX] Switch boots from backup root partition after file system corruption occurred on the primary root partition (Juniper)](https://kb.juniper.net/InfoCenter/index?page=content&id=KB23180).
 
 
 ## Info

+ 30 - 1
networking/juniper-srx.md
View File 

@@ -98,6 +98,7 @@ breadcrumbs:
 
 1. Exit config CLI: `exit`
 
 1. Save the rescue config: `request system configuration rescue save`
 
 1. Save the autorecovery info: `request system autorecovery state save`
 
+1. Reboot the device to change forwarding mode and stuff (if changed): `request system reboot`
 
 
 ### Interface Setup
 
 
@@ -110,7 +111,35 @@ See [Juniper EX](/config/network/juniper-ex/).
 
 
 ## Theory
 
 
-### Zone-based Firewalling (SRX)
 
+SRX-specific information, see the Junos page for general information.
 
+
 
+### Packet Forwarding Mode (Packet-based and Flow-based)
 
+
 
+- *Packet-based forwarding* handles packets one by one, also called stateless forwarding (similar to router ACLs). This does not handle connection tracking and other advanced features.
 
+- *Flow-based forwarding* handles packets as streams, also called stateful forwarding. This is the default for IPv4 (IPv6 forwarding is disabled by default).
 
+- Commands:
 
+    - Configured using `set security forwarding-options family inet6 mode flow-based` (example).
 
+    - Run `show security flow status` to show forwarding modes.
 
+
 
+### L2 Forwarding Mode (Transparent and Switching)
 
+
 
+- The default mode on most newer devices/versions is switching mode.
 
+- Switching mode:
 
+    - Basically L3 mode. Pretty similar to L3 switches, with VLANs and RVIs.
 
+    - Uses IRB interfaces in security zones.
 
+    - Does not enforce policy on intra-VLAN traffic.
 
+    - Supports LACP.
 
+- Transparent mode:
 
+    - Basically L2 mode.
 
+    - The firewall acts like an L2 switch connected inline in the infrastructure, allowing simple integration without modifying routing and protocols.
 
+    - Does not support STP, IGMP snooping, Q-in-Q, NAT and VPNs.
 
+    - Uses physical interfaces in security zones.
 
+    - Also called L2 transparent mode (L2TM).
 
+- Commands:
 
+    - Configured using `set protocols l2-learning global-mode {transparent-bridge|switching}`.
 
+    - Show using `show ethernet-switching global-information`.
 
+
 
+### Security Zones
 
 
 - On SRX firewalls, you assign interfaces to security zones. **TODO** All interfaces must be assigned a zone and a zone may have zero or multiple interfaces?
 
 - *Security zones* are the main type of zone.