JUNOS Cheat-Sheet

Quick Reference www.cciezone.com

r.conf.gz /config/junipe Stored in .conf.n.gz /config/juniper in ored St f.n.gz fig/juniper.con /config/db/con .conf.gz /config/rescue sy cleanup /var/tmp for ea
Disable Enable S interf ace <n ame> shutdo wn interf ace <n ame> no shu tdown IO JUNOS
<name> disabl e disabl e

Active n = 1-3 Rollbacks Rescue JUNOS Images n = 4-49

ed in Should be stor

set in terfac e delete interf

ace <n ame>

help t opic help r efere help s yslog nce

Genera l topics Syntax Lookup syslog m sg s

Upgrad e Reboo t Shutdo wn

(all are operati onal-m o

reque s t sys tem reque reque s

de com m

ands)

softw a

st sy ste

re ad d

t sys tem

m reb oot -off

power

ig conf ue resc it! ault create def is no orget to re The dont f

Create Rollback (apply/restore)
request syst em configur ation rescue save [edit] rollback re scue

Login as root, run ezsetup OR Connect to ge-0/0/0, use DHCP and access 192.168.1.1 (web or telnet/SSH) OR Choose Enter Ezsetup from LCD screen OR Connect to me0 and access 192.168.2.1 (EX-series)
i pt me ne >

OR Press the conf ig button for les s than

5 seconds

w ho

sy

st

em

Set Root password

zo

set system root-authentication plain-text-password

t se

da em

te m ti e-

Enable SSH Disable Telnet Set Hostname

set system services ssh delete system services telnet set system host-name <name>

< st p ns ow sy nt io Sh t e at se at t ci d so Se t as se t p Se one nt w ez ) ho Tim (NTP ) s t P Se (NT ow Sh

IP

NT Ps erv er!

Juniper EX-series Cheat Sheet

Quick Reference www.cciezone.com
rted tances are suppo p and hierarchy (stp, rst Up to 64 MSTP ins t protocols] gure under [edi Confi mstp) over/ Gs) to have a fail Trunk Groups (RT Use Redundant use of STP out the ns] tch secondary link with hing-optio supported per swi rnet-switc Up to 16 RTGs are [edit ethe p { trunk-grou redundant0 { ge ; group rtg1 -tree brid ge-0/0/3.0 ng interface rface show spanni ; ace -tree inte ge-0/0/4.0 interface tics interf ow spanning is sh n -tree stat nfiguratio ow spanning sh } tp co ng-tree ms show spanni }

EX -se

rie s
All ports are family ethernet-switching PoE is enabled on all PoE-capable ports LLDP and RSTP enabled Virtual chassis system ID is 0 (zero) mastership-priority of 128 load factory-default

Th e

can
Reset back to default

be

an

by led enab ity wins n is rior p mptio re-e highest P , lt u def a

with a 200 comes Each EX 4 CB -meter V Up to 1 0( can be s ten) EX 4200 tacked into a V s CS

ant-tr show redund

unk-group

lane e backp form th s is Ports rconnect hass es inte Virtual C ne cabl Backpla Ps CS V VC hassis s into a r to Virtual C switche ses fibe orts u VCB tender P switches x hassis E ote le ect rem Virtual C k modu interconn n 10Gbps uplin o d d to s upporte use VCEP Only s rotocol ssages ontrol P assis C very me irtual Ch A-based disco CS V S V in a ge L exchan n PFEs sed to betwee ace u VCCP et interf t Ethern en tack anagem switch s Virtual M administer the ngine arding E PFEs Forw V ME 2 Packet 0s have EX 420 have 3 PFEs 24-port 00s EX 42 et 48-port PF E port s ure a V Config ME
reques vcassis ual-ch port <#> t virt ot <#> pic-sl

Up to 8 interfac es in a single LAG Max # LAGs: EX 3200 = 32 LAGs per sw itch EX 4200 = 64 LAGs per sw itch VCS = 128 LA Gs per VCS Trunks do no t have to have a native VLAN

If me0 isnt configured as a L3 interface, it is automatically assigned to the mgmt VLAN

show show show show show show

chassis hardware virtual-chassis status virtual-chassis active-topology virtual-chassis interfaces virtual-chassis member-config virtual-chassis protocol

default orts by at all p rts er th Rememb re access po a

1. Se t th set cha e numbe ethe ssis ag r of ae in gr rnet ter devi egated- faces d ce-c ount evices <#> 2. Bin d the phys ical in set terfa inte inte ce to rfac rface the a opti es < e ons name 802. > et 3ad her<ae_ int> 3. Se t the ae in te (phy sical rface pr o and logic perties al)

uting. LAN ro inter-V . rovides n SVI on IOS P Like a

1. Set the port mode to trunk set interfaces <name> unit <#> family ethernet-switching portmode trunk

have to unit doesnt The VLAN LAN ID match the V ommend it s rec best-practice

] faces inter [edit { vlan 200 { net { 4 unit 1.1/2 y i famil ress 10.1. add } } } ] vlans [edit t { 0; tes .200; id 20 vlan- rface vlan te l3-in }

2. Set the VLAN membership on the trunk set interfaces <name> unit <#> family ethernet-switching vlan members <name(s)>
g chin swit nether y et Por amil L2 ure f g net Confi ly i fami L3 gure Confi : n be ts ca

3. Set the native VLAN (optional) set interfaces <name> unit <#> family ethernet-switching native-vlan-id <name>

Juniper EX-series Cheat Sheet

Quick Reference www.cciezone.com

s route used if it is only he VLAN This t outside of

Ingress / Received Packet Port Firewall Filter (PACL) VLAN Firewall Filter (VACL)

d
MA On C Lim ly a i llow ting p s s rote Lim tat cts its the OR ically the C -de num MA fine AM: ber dM sh C Lim of d AC ut yna do iting add dr mic wn act op res ally lo (blo ions ses (dr g -lea (do ops t cks : no rne dat ne he es dM pac a tr (do not AC af k not dro add Co p et a fic & do n res any pack nd ge gen [e figu ses di thin et, b ner erat rati t se on ut g ates es s g) e cu ene re ther Exa a s yste -a mp ne rate yst ml c in te cess t-sw le: s a em l og e rf it -p sys og e ntr a y) tem al ce g ort chin nt } lo g{ elog ry) we op in 0/ dti ent te ma 0/0. on rf ry) c s] ac 0 [ e { m
ac 00 -l ge-0 :0 im 0: it /0/1 00 :0 .0 2 0: ac { 00 ti :0 on 1 sh ]; ut do wn ;

Router Firewall Filter (RACL)

VLAN Firewall Filter (VACL)

Egress / Transmit Packet

Mitigate rogue D servers HCP !

} }

sts: Port Tru port Default Access rt po Trunk

sted = untru ed = trust

ns] le: Examp ching-optio uration Config thernet-swit { e t [edit ss-por /0/0.0 { -acce -0 secure rface ge ed; inte -trust dhcp { /1.0 } e-0/0 ace g rusted; nterf i -t o-dhcp n } { test p; vlan e-dhc examin } }

show dhcp snooping binding clear dhcp snooping binding

Ex to a m i n vie e s w th e h o w Us M A et ec in h C te lea ta b e r n rf r le. etac et Lo sw he e it <n rn Li m ok at ch am et itin sh in e> -s g g v ow to w i t ta i ol cle ch a ti l o g bl ar on in e vio g me m e s l at ta s s sag ion bl ag es s. e es . fo r MA C

s in the DHCP mining entrie ooping Relies on exa es DHCP Sn table, so requir Snooping s by default led on all VLAN Disab N basis on a per-VLA d It is enabled red as a truste that is configu as a Any interface g is also setup DHCP Snoopin inspection) interface for passes ARP d interface (by DAI truste mmands:

Example: Configuration t-switching-options] it etherne

[ed ss-port { { secure-acce ge-0/0/0.0 interface ; dhcp-trusted } { vlan test ion; arp-inspect mine-dhcp; exa } }

Monitoring Co

ndings snnoping bi stics show dhcp tion stati arp inspec show

DHCP traceoptions are logged to /var/log/fud by default

i m s 4 { ow ra t gu yste .0/2 ge l nfi n 0 { Co dit s0.0. s-ra s s 1 e es

[

g p : hi hc ple s d .1 .0 xam vice .0 E er 10 on

are auth others : ost is t, all odes first h lican nt port m ult only plicant) supp X gle pplica 802.1 e (defa t s up a sin ch su e firs l rmits nt, ea sing ack on th (only pe plica sup -b e ultiple piggy e-secur for m l cess sing ) its ac lly) d denie ple (perm dividua nds i in seco mult enticated 36 00 th tions is au & Op eriod: ters onds rame tication P : 5 s ec X Pa n when 802.1 Reauthe 1 to 65,53 used lt : u e and is Defa Rang t) gured plican confi a s up ts. n be n fails (have N ca X h os t VLA thenticatio t respond -802.1 G ues n au r no n sn A s fo doe W he ypas lient . nac tion b e device W he ntica th authe cally on n t is a tored lo Lis are s Static MAC ddresses a MAC

ated, entic

all oth

er ho

sts

e 0; ol ddr 0; addr ; 40 a po 86 00; 20 e- 0.1 4 e d 0. 86 im 0. clu 0.0. t . e- ime 1 ex 10 t as le sea m{ mu -le } i ax ult ver .10; m 0 er fa de e-s .0.1 m 10 na ct 4; li ? 25 { nf p 0. r co } hc 0. te : es d dhcp ou 10. s c r nd s ma rvi ce om se rvi } l C stem m se u sef sy ste U w sy } o sh ar e cl

ion Exam [edit ple: forwar ding-o descri ptions ption he Main server DHCP re lpers bootp] 10.0.4 lay; 0.2; maximu m-hopcount minimu 4; m-wait -time interf 1; ace { vlan.2 { no-lis ten; }

Configur at

Configuration Example:
[edit protocols dot1x authenticator] interface { ge-0/0/0.0 { guest-vlan test-guest-vlan; reauthentication 3600; supplicant single-secure; } ge-0/0/3.0 { no-reauthentication; } } Static { 00:00:00:00:00:01 { interface ge-0/0/0.0; } 00:00:00:00:00:02; }

Monitoring Commands:
show dot1x interface Show dot1x static-mac-address show dot1x authentication-failed-users

Juniper EX-series Cheat Sheet

Quick Reference www.cciezone.com

default to class 0 by are assigned All switch ports er pool from total pow Modes: rt is deducted x power for po Static ma matches class 0) tal power pool (only supports dgeted from to ic power bu Dynam m the total consumed is deducted fro actual power r class budget we Class max po age for each power pool rical power us s provide histo rie PoE Telemet e (PD) powered devic fault Disabled by de 5 minutes (1 to 30 mins) al is Default interv to 24 hrs) n is 1 hour (1 Default duratio

: ple am Ex { ion /0 rat ; /0 figu poe] ge-0 igh; 15.4 n h r e Co t

we ty ac di [e erf or i m-po s { ; n t pri mu rie l 5 i ; a t xi ma eme erv on 1 t l in a ti te r du }

/1 /0 { -0 ge es ; ri ce fa m et ble r } te ele isa d t in } }

n a ef fa Us o w c h o e c o n t e r i p sh oe ow sh w p o sh

ds: ar an rdw m m s ha ll er o o ul C ssi tr ce

Fully in te 4200 s rchangeable eries s witche between EX 320W, s 3200 a 600W nd and 93 0W ca pacitie s are a vailable

LLD P

Mul

ticas t

Addr

ess:

net-s voip { witch ing-op tions] inter face ge-0/0 /0 { vlan testvoice; forwa rding } -class } voiceep;

Configu re CoS b Use vo ice VLA efore enabling N vo Use LL DP-ME on ports with IP ice VLAN D to sig to IP ph phone nal voic one e VLAN s ID and Configu 802.1p ration E value [edit xample ether :

01-8 0

-C2 -

00-0 0

-0E

mmand show v s: lans detail <name>

Useful C

d is enable en LLDP led by default sent wh ab en s are DP TLV TLVs are atory LL P-MED All mand l LLDP and LLD na All optio xample: ration E Configu otocols] dit pr

[e l 30; nterva lldp { rtisement-i adve ier 2; ultipl hold-m erval 30; t n msgTxI d 4; ol msgTxH } ed; lldp-m

s: ommand Useful C p statistics

Assessment

ld show l p detail ld show l p neighbors ld o show l p local-inf ld show l

Maintenance

Design and Implementation

Juniper EX-series Cheat Sheet

Quick Reference www.cciezone.com

24 to 48-ports Basic model has 8 PoE ports Up to 48 PoE ports are supported Does not support VCS Intended for access layer usage Supports redundant power supplies (one internal, one via RPS port) Field-replaceable PS and fan tray Uplink modules: 4 x 1Gbps Ethernet (SFP) 2 x 10Gbps Ethernet (XFP) Line-rate switching (non-blocking)

24 to 48-ports Basic model has 8 PoE ports Up to 48 PoE ports are supported Supports VCS (up to 10 switches in a VCS) Intended for distribution and access layer usage Redundant (both internal), hot-swappable PS Field-replaceable fan tray (3 fans one can fail & not affect operations) Uplink modules: 4 x 1Gbps Ethernet (SFP) 2 x 10Gbps Ethernet (XFP) Line-rate switching (non-blocking)

Routing Engine (RE) Bridging Table (BT) Routing Table (RT) JUNOS Software Fwding Table (FT)

Control Plane Forwarding Plane

Packet Forwarding Engine (PFE)

Packet Flow

Bridging Table (BT)

Fwding Table (FT)

Packet Flow