SWITCHING
inter-vlan
- verify network settings for each user: ip, mac, gw
- verify gw reachability
- verify MAC table:
show ethernet-switching table (control plane)
show route forwarding-table family ethernet-switching (forwarding plane - PFE) both should be in sync
- verify STP: show spanning-tree interface
- verify vlan-interface association: show vlans X [detail]
- verify interface config: show configuration interface XXX
- where is gw: show route table inet.0
- fw session: show security flow session protocol icmp source-prefix IP
Route "rejected" for irb => check vlan config has l3-interface configured
LAG not coming up but config looks ok -> show configuration chassis aggregated-devices => device-count!
EVPN
east-west
- verify network settings for each user: ip, mac, gw
- verify gw reachability
- evpn-vxlan:
-- underlay: IGP (ospf-isis) or eBGP (loopbacks exchanged, peers up, etc)
---show bgp summary / show route receive/advertised-protocol bgp IP table inet.0
---show evpn databases
-- overlay: iBGP up, EVPN peers up
--- show evpn instance extensive
--- show evpn database
--- show route table inet.0 protocol evpn
-- VXLAN: VTEPs established, up, EVPN routes (typ2/5 exchanged?
--- show interfaces vtep
type source: for the locally attached networks
type Remote: for remote networks
--- show vlan (mapping vlan-vni)
--- show vlan X details -> l3-irbs, mapped interfaces, etc
-- communication between same vlan/vni? vlan-vni mapping identical in all devices?, IRB using commong VGA, IRB bound to VLANs
--- show ethernet-switching vxlan-tunnel-end-point source
--- show ethernet-switching vxlan-tunnel-end-point remote
--- show interfaces terse irb
--- show configuration interfaces irb
--- show configuration vlans
--- show ethernet-switching table
show bgp summary
- bgp.evpn.0 receives all EVPN routes (LE and SP)
- default-switch.evpn.0 - typ1,2,3 copied here (only LE, no in SP)
- default_evpn.evpn.0 - typ4 copied here (only LE, no in SP)
show route summary
:vxlan.inet.0 - holds the routes to remote VTEPs and uses inet.0 for route selection (because it has : in the name)
OSPF
ospf operational
show ospf neighbor
show ospf interface (loopbacks are in??)
show interfaces x | match mtu
show ospf overview
show ospf statistics
set protocols ospf traceoptions file X size 5m files 3 flag all
show log X
show configuration interface Y
monitor traffic interface Y detail matching "proto ospf"
request system decrypt password "xxxx" (onlu for $8$ or $9$ hashes)
adj state full
show ospf database (* = entries generated by the local router)
show route protocol ospf table inet.0
spf stable: duplicate RID?, flapping links?
routes in RIB: lsdb, asbr over non-bb area, 0/0 in nssa and stubs, prefix export limit, import/export policies
- show route table inet.0
- abr: nssa no-summaries -> routes in that area dont see any summary LSA for other areas => you may need to advertise a default (set protocols ospf area X nssa default-lsa default-metric 1)
- show configuration protocols ospf
ISIS
(initializing -> mtu issue (at least 1492)
isis operational
show isis adjacency
show isis interface (loopbacks are in??)
show interfaces x | match mtu
show isis overview (if attached bit evaluation disabled -> default route (sent by L1L2) is not installed
show isis statistics
set protocols isis traceoptions file X size 5m files 3 flag error detail flag hello detail
show log X
show configuration interface Y
monitor traffic interface Y detail matching "proto isis"
request system decrypt password "xxxx" (onlu for $8$ or $9$ hashes)
adj state full
show isis database (* = entries generated by the local router)
show isis route
show route protocol isis table inet.0
spf stable: duplicate NET?, flapping links?
routes in RIB: lsdb, levels?, 0/0 in l1, prefix export limit, import/export policies
show route table inet.0
abr: nssa no-summaries -> routes in that area dont see any summary LSA for other areas => you may need to advertise a default (set protocols ospf area X nssa default-lsa default-metric 1)
show configuration protocols ospf
show isis hostname
show route table iso.0 <-- NET addresses!
BGP
iBGP
-ibgp established: security policies, fw rules, IGP routing, local address, auth, logs
set protocols bgp group int-group traceoptions file X size 5m files 3 flap open detail
show system connections
-ibgp stable: IGP stable? MTU, TCP MSS
-ibgp adverts: export policy, inactive routes, no-advertise community, bgp family
-ibgp receives: BGP next-hop, recursive routing
-routes in RIB: import policy
ROUTING LOOPS
take several traceroute
check where route redistribution takes place
set cli timestamp
show bgp summary (several times to see flapping)
show route received-protocol bgp PEER_IP table x.0 (several times to see flapping)
show route NET/MASK (several times)
show route hidden detail table x.0
MPLS L3VPN
control plane:
- pe-ce routing protocols
-- show route table inet.0 (for P and PE Lo)
-- show isis database detail
- ldp/rsvp
-- show route table inet.3 (table with ingress LSPs from this router
-- show route table mpls.0 (next LSR in each LSP). Loop-up LSPs and VPN labels
-- show ldp session/neighbor
-- show ldp database
*RT mismatch -> drop (no stored neither hiddne => go to the other peer and show route advertisedd-protocol bgp PE-IP)
- bgp
-- show bgp summary
-- show route table X.inet.0 (l3vpn table)
-- show route advertising-protocol bgp PE-IP
-- show route receive-protocol bgp PE-IP (is bgp.l3vpn.0 table???)
-- show route receive-protocol bgp PE-IP detail table bgp.l3vpn.0
-- *vrf-table-lable -> a LSI logical interface label is created and mapped to the VRF routing table.
data plane:
-- ping mpls
-- traceroute mpls ldp PE-Lo
Stateful FW
srx -> session-based
- show security flow status -> flow/packet-based
- show security flow session
- set security flow traceoptions file X size 2m files 3 flag basic-datapath packet-filter f1 protocol icmp destination-prefix FW-IP/32
- show interface X -> check security zone (Null drops all packets)
- show interface x detail | find Flow
- show security zones NAME
- show security screen statistics zone untrust | except 0
- show log messages | match RT_SCREEN or RT_IDS
- show security screen ids-option untrust-screen
- show configuration security screen
- set security zones security-zone X host-inbound-traffic system-override traceroute ping β¦
CHASSIS CLUSTER
OOB
fxp0: oob mgmt interface
fxp1/em0 - cp interface
fab - dp interace
swfab - switching dp interface
reth - redundant interface
show chassis cluster status
show chassis cluster interfaces
show interfaces terse | grep fxp
show configuration | display set | match apply-groups
set apply-groups ${node}
show system users
fabric link
show chassis cluster interfaces
show chassis cluster status
show chassis cluster statistics (sent/received??)
show interfaces terse | grep fab
data-plane
show chassis cluster status
show chassis cluster interfaces
show interfaces terse | grep reth
show configuration chassis cluster
*routing table is not running in secondary node
CoS
CoS-Based IPSec VPN
show security ike security-associations
show security ipsec security-associations
show security ipsec inactive-tunnels
show configuration security ipsec vpn X
show class-of-service forwarding-class
CoS implementation
show interfaces X detail | find Egress -> check counters in queues
show configuration firewall family inet -> check filtes
show interfaces filters | match X
show class-of-service interface Y
show class-of-service rewrite-rule type dscp
scheduler-map X | match "Scheduler|Transmit"
classifier type dscp name X