SWITCHING

inter-vlan
- verify network settings for each user: ip, mac, gw
- verify gw reachability
- verify MAC table: 
       show ethernet-switching table (control plane)
       show route forwarding-table family ethernet-switching (forwarding plane - PFE) both should be in sync
- verify STP: show spanning-tree interface
- verify vlan-interface association: show vlans X [detail]
- verify interface config: show configuration interface XXX
- where is gw: show route table inet.0
- fw session: show security flow session protocol icmp source-prefix IP

Route "rejected" for irb => check vlan config has l3-interface configured

LAG not coming up but config looks ok -> show configuration chassis aggregated-devices => device-count!

EVPN

east-west

- verify network settings for each user: ip, mac, gw
- verify gw reachability

- evpn-vxlan:
-- underlay: IGP (ospf-isis) or eBGP (loopbacks exchanged, peers up, etc)
   ---show bgp summary / show route receive/advertised-protocol bgp IP table inet.0
   ---show evpn databases

-- overlay: iBGP up, EVPN peers up
   --- show evpn instance extensive
   --- show evpn database
   --- show route table inet.0 protocol evpn

-- VXLAN: VTEPs established, up, EVPN routes (typ2/5 exchanged?
   --- show interfaces vtep
     type source: for the locally attached networks
     type Remote: for remote networks
   --- show vlan (mapping vlan-vni)
   --- show vlan X details -> l3-irbs, mapped interfaces, etc

-- communication between same vlan/vni? vlan-vni mapping identical in all devices?, IRB using commong VGA, IRB bound to VLANs
   --- show ethernet-switching vxlan-tunnel-end-point source
   --- show ethernet-switching vxlan-tunnel-end-point remote
   --- show interfaces terse irb
   --- show configuration interfaces irb
   --- show configuration vlans
   --- show ethernet-switching table

show bgp summary
   - bgp.evpn.0 receives all EVPN routes (LE and SP)
   - default-switch.evpn.0 - typ1,2,3 copied here (only LE, no in SP)
   - default_evpn.evpn.0 - typ4 copied here (only LE, no in SP)

show route summary
   :vxlan.inet.0 - holds the routes to remote VTEPs and uses inet.0 for route selection (because it has : in the name)

OSPF

ospf operational
   show ospf neighbor
   show ospf interface (loopbacks are in??)
   show interfaces x | match mtu
   show ospf overview
   show ospf statistics
   set protocols ospf traceoptions file X size 5m files 3 flag all
   show log X
   show configuration interface Y
   monitor traffic interface Y detail matching "proto ospf"
   request system decrypt password "xxxx" (onlu for $8$ or $9$ hashes)

adj state full
   show ospf database (* = entries generated by the local router)
   show route protocol ospf table inet.0

spf stable: duplicate RID?, flapping links?

routes in RIB: lsdb, asbr over non-bb area, 0/0 in nssa and stubs, prefix export limit, import/export policies
   - show route table inet.0
   - abr: nssa no-summaries -> routes in that area dont see any summary LSA for other areas => you may need to advertise a default (set protocols ospf area X nssa default-lsa default-metric 1)
   - show configuration protocols ospf

ISIS

(initializing -> mtu issue (at least 1492)

isis operational
   show isis adjacency
   show isis interface (loopbacks are in??)
   show interfaces x | match mtu
   show isis overview (if attached bit evaluation disabled -> default route (sent by L1L2) is not installed
   show isis statistics
   set protocols isis traceoptions file X size 5m files 3 flag error detail flag hello detail
   show log X
   show configuration interface Y
   monitor traffic interface Y detail matching "proto isis"
   request system decrypt password "xxxx" (onlu for $8$ or $9$ hashes)

adj state full
   show isis database (* = entries generated by the local router)
   show isis route
   show route protocol isis table inet.0

spf stable: duplicate NET?, flapping links?

routes in RIB: lsdb, levels?, 0/0 in l1, prefix export limit, import/export policies
   show route table inet.0
   abr: nssa no-summaries -> routes in that area dont see any summary LSA for other areas => you may need to advertise a default (set protocols ospf area X nssa default-lsa default-metric 1)
   show configuration protocols ospf
   show isis hostname
   show route table iso.0 <-- NET addresses!

BGP

iBGP
-ibgp established: security policies, fw rules, IGP routing, local address, auth, logs
set protocols bgp group int-group traceoptions file X size 5m files 3 flap open detail
show system connections

-ibgp stable: IGP stable? MTU, TCP MSS

-ibgp adverts: export policy, inactive routes, no-advertise community, bgp family

-ibgp receives: BGP next-hop, recursive routing

-routes in RIB: import policy

ROUTING LOOPS

take several traceroute
check where route redistribution takes place
set cli timestamp
show bgp summary (several times to see flapping)
show route received-protocol bgp PEER_IP table x.0 (several times to see flapping)
show route NET/MASK (several times)
show route hidden detail table x.0

MPLS L3VPN

control plane:
- pe-ce routing protocols
   -- show route table inet.0 (for P and PE Lo)
   -- show isis database detail

- ldp/rsvp
   -- show route table inet.3 (table with ingress LSPs from this router
   -- show route table mpls.0 (next LSR in each LSP). Loop-up LSPs and VPN labels
   -- show ldp session/neighbor
   -- show ldp database
*RT mismatch -> drop (no stored neither hiddne => go to the other peer and show route advertisedd-protocol bgp PE-IP)

- bgp
   -- show bgp summary
   -- show route table X.inet.0 (l3vpn table)
   -- show route advertising-protocol bgp PE-IP
   -- show route receive-protocol bgp PE-IP (is bgp.l3vpn.0 table???)
   -- show route receive-protocol bgp PE-IP detail table bgp.l3vpn.0
   -- *vrf-table-lable -> a LSI logical interface label is created and mapped to the VRF routing table.

data plane:
   -- ping mpls
   -- traceroute mpls ldp PE-Lo

Stateful FW

srx -> session-based
- show security flow status -> flow/packet-based
- show security flow session
- set security flow traceoptions file X size 2m files 3 flag basic-datapath packet-filter f1 protocol icmp destination-prefix FW-IP/32
- show interface X -> check security zone (Null drops all packets)
- show interface x detail | find Flow
- show security zones NAME
- show security screen statistics zone untrust | except 0
- show log messages | match RT_SCREEN or RT_IDS
- show security screen ids-option untrust-screen
- show configuration security screen
- set security zones security-zone X host-inbound-traffic system-override traceroute ping …

CHASSIS CLUSTER

OOB

fxp0: oob mgmt interface
fxp1/em0 - cp interface
fab - dp interace
swfab - switching dp interface
reth - redundant interface

show chassis cluster status
show chassis cluster interfaces
show interfaces terse | grep fxp
show configuration | display set | match apply-groups
  set apply-groups ${node}
show system users

fabric link

show chassis cluster interfaces
show chassis cluster status
show chassis cluster statistics (sent/received??)
show interfaces terse | grep fab

data-plane

show chassis cluster status
show chassis cluster interfaces
show interfaces terse | grep reth
show configuration chassis cluster

*routing table is not running in secondary node

CoS

CoS-Based IPSec VPN

show security ike security-associations
show security ipsec security-associations
show security ipsec inactive-tunnels
show configuration security ipsec vpn X
show class-of-service forwarding-class

CoS implementation

show interfaces X detail | find Egress -> check counters in queues

show configuration firewall family inet -> check filtes
show interfaces filters | match X
show class-of-service interface Y
show class-of-service rewrite-rule type dscp
                      scheduler-map X | match "Scheduler|Transmit"
                      classifier type dscp name X

M	T	W	T	F	S	S
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28