dokucama

This is an old revision of the document!

EXPANSION MODULE NOT RECOGNISED:

show chassis fpc pic-status  # If this shows the expansion modules offline.
request chassis system-mode flexi-pic-mode all-members # do this and reboot

CHANNELIZATION - BREAK OUT CABLES (fiber break-out):

• https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/qfx3500-3600-standalone-channel-configuring.html
• a colon is used to signify the four separate channels. Like xe-0/1/2:0, xe-0/1/2:1, xe-0/1/2:2, and xe-0/1/2:3

[edit chassis fpc 0 pic 1]
set port-range 0 3 channel-speed 10g
set port 3 channel-speed 10g   # for one et port (4 10G channelized)

MC-LAG
https://jira.mycompany2datacloud.com/browse/SYS-5112

• Configuration with examples: External Link
• Static arp in vrrp (l3) mc-lag: External Link
• ICCP & ICL-PL in different links: External Link
  • Inter-chassis Control Protocol (ICCP): It uses TCP as a transport protocol and requires Bidirectional Forwarding Detection (BFD) for fast convergence
  • Interchassis link-protection link (ICL-PL) : Each ICL can learn up to 512K MAC addresses.
• *Consistency tools* (require 'set multi-chassis mc-lag consistency-check') LINK

External Link
https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/mc-lag-on-core-understanding.html

• To configure mc-lag:
  • Active-active : External Link
  • Active-standby: External Link

• To see status of mc-lag link External Link:

show iccp detail
show bfd session detail
show interfaces mc-ae

Paramaters to configure mc-lag, from https://www.safaribooksonline.com/library/view/juniper-mx-series/9781491932711/ch09.html:

LINKS:

• https://www.youtube.com/watch?v=1byapa89L9w
• http://jncie.tech/2017/07/10/mc-lag/
• https://www.juniper.net/documentation/en_US/junos/topics/concept/mc-lag-feature-summary-best-practices.html
• https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/mc-lag/multichassis-link-aggregation-groups.pdf
• http://www.hiphop-resistance.com/juniperdayone/DO_Ambassadors_2014.pdf
• STATIC ARP AND VRRP: External Link

MC-LAG IN VQFX:

• https://forums.juniper.net/t5/Ethernet-Switching/vQFX-MC-LAG-not-working/td-p/313907

—-

FOR TSHOOT:

set interfaces irb arp-l2-validate  #turns on validation of ARP and MAC table entries, automatically applying updates if they become out of sync. Workaround when the network is experiencing other issues that also cause loss of ARP and MAC synchronization. Ddisable it during normal operation because this option might impact performance in scale configurations.
show iccp
show interfaces mc-ae
show lacp interfaces
show l2-learning redundancy-groups remote-macs
show ethernet-switching table
show ethernet-switching redundancy-groups remote-macs

OSPF PROTOCOL
To see the lsa we need to use 'detail' flag:

show ospf database router lsa-id 148.64.56.250 detail
show ospf database external lsa-id 0.0.0.0 detail

EVPN AND VXLAN
MAC addresses conveyed via bgp. Datacenter. At the end of the day these are knobs to avoid using L3!. Listen to this podcast

• ESI—An Ethernet segment must have a unique nonzero identifier, called the Ethernet segment identifier (ESI). The ESI is encoded as a 10-octet integer. When manually configuring an ESI value, the most significant octet, known as the type byte, must be 00. When a single-homed CE device is attached to an Ethernet segment, the entire ESI value is zero. The Ethernet segment of the multihomed Device CE1 has an ESI value of 00:11:22:33:44:55:66:77:88:99 assigned. The single-homed Device CE2 has an ESI value of 0.
• EVI—An EVPN instance (EVI) is an EVPN routing and forwarding instance spanning all the PE routers participating in that VPN. An EVI is configured on the PE routers on a per-customer basis. Each EVI has a unique route distinguisher and one or more route targets.An EVI is configured on Routers PE1, PE2, and PE3.
• Rest of the info in: https://www.juniper.net/documentation/en_US/junos/topics/concept/evpn-bgp-multihoming-overview.html

PORT MIRRORING:
For local mirroring, the output interface needs to have an IP in the switch physical interface itself!!! Traffic will be coming encapsulated from that IP. So I really need a standalone monitoring station

#B05 (ae5 is connected to dmc02)
set forwarding-options analyzer employee-monitor input ingress vlan 510 
set forwarding-options analyzer employee-monitor output interface ae5.0
set interfaces ae5.0 family inet address  192.1.1.1/24

PERFORM A FORMAT INSTALLATION (USB REQUIRED):
See this link https://panda314159.duckdns.org/doku.php?id=network_stuff:juniper:qfx:fortmatreinstall

• https://kb.juniper.net/InfoCenter/index?page=content&id=KB34749

FORMAT INSTALL:

• First be surewe have a copy of the configuration
• https://kb.juniper.net/InfoCenter/index?page=content&id=KB20643

SNMP CONFIGURATION STANDARD FOR EX4600 AND ABOVE:

set snmp location HERE
set snmp contact ME
set snmp v3 usm local-engine user ODC authentication-sha authentication-password <authentication-password>
set snmp v3 usm local-engine user ODC privacy-aes128 privacy-password <privacy-password>
set snmp v3 vacm security-to-group security-model usm security-name ODC group SNMPV3GROUP
set snmp v3 vacm access group SNMPV3GROUP default-context-prefix security-model usm security-level privacy read-view SNMPVIEW
set snmp v3 vacm access group SNMPV3GROUP default-context-prefix security-model usm security-level privacy notify-view SNMPVIEW
set snmp view SNMPVIEW oid .1 include

If snmpv3 fails in EX4600 (after an upgrade or NMS change, try this):

del snmp v3
set snmp engine-id local  88e64b801438  # iface mac address
commit

restart snmp gracefully all-members

set snmp location Coresite-LA1
set snmp contact "sysadmin@mycompany1.co.uk"
set snmp v3 usm local-engine user ODC authentication-sha authentication-password "XXXXXXXXX"
set snmp v3 usm local-engine user ODC privacy-aes128 privacy-password "YYYYYYYYYYY"
set snmp v3 vacm security-to-group security-model usm security-name ODC group SNMPV3GROUP
set snmp v3 vacm access group SNMPV3GROUP default-context-prefix security-model usm security-level privacy read-view SNMPVIEW
set snmp v3 vacm access group SNMPV3GROUP default-context-prefix security-model usm security-level privacy notify-view SNMPVIEW
set snmp view SNMPVIEW oid .1 include

restart snmp gracefully all-members

MERAKI:
So we can monitor snmp through the meraki public IP, we do the following (example):

Meraki > Firewall > forwarding rules
csw3-snmp 1613 > 10.20.3.42 161 (restrict sourc

NMS:
Multiple devices with the same IP (the meraki public IP), then we configure observium with the different forwarded ports (eg: 1613)

cat /etc/hosts
67.212.55.69 csw2.mydomain.com
67.212.55.69 csw3.mydomain.com
67.212.55.69 csw4.mydomain.com

This is to enable non standard ports for certain devices:

[rancid@nms]$ cat .cloginrc
add password fw0* {} {}
add user * rancid
add password * password
add identity * /var/rancid/.ssh/rancid_rsa
add method csw3.la1.mycompany1.co.uk {ssh:1023}
add method csw4.la1.mycompany1.co.uk {ssh:1024}
add method {ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no}
add method {ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no}
add method * ssh
add noenable fw0* {0}
add cyphertype fw0*.dc.mycompany1.co.uk aes256-cbc