<\/p>\n\n\n\n
inter-vlan
- verify network settings for each user: ip, mac, gw
- verify gw reachability
- verify MAC table:
show ethernet-switching table (control plane)
show route forwarding-table family ethernet-switching (forwarding plane - PFE) both should be in sync
- verify STP: show spanning-tree interface
- verify vlan-interface association: show vlans X [detail]
- verify interface config: show configuration interface XXX
- where is gw: show route table inet.0
- fw session: show security flow session protocol icmp source-prefix IP
Route \"rejected\" for irb => check vlan config has l3-interface configured
LAG not coming up but config looks ok -> show configuration chassis aggregated-devices => device-count!<\/pre>\n\n\n\nEVPN<\/h1>\n\n\n\n
east-west
- verify network settings for each user: ip, mac, gw
- verify gw reachability
- evpn-vxlan:
-- underlay: IGP (ospf-isis) or eBGP (loopbacks exchanged, peers up, etc)
---show bgp summary \/ show route receive\/advertised-protocol bgp IP table inet.0
---show evpn databases
-- overlay: iBGP up, EVPN peers up
--- show evpn instance extensive
--- show evpn database
--- show route table inet.0 protocol evpn
-- VXLAN: VTEPs established, up, EVPN routes (typ2\/5 exchanged?
--- show interfaces vtep
type source: for the locally attached networks
type Remote: for remote networks
--- show vlan (mapping vlan-vni)
--- show vlan X details -> l3-irbs, mapped interfaces, etc
-- communication between same vlan\/vni? vlan-vni mapping identical in all devices?, IRB using commong VGA, IRB bound to VLANs
--- show ethernet-switching vxlan-tunnel-end-point source
--- show ethernet-switching vxlan-tunnel-end-point remote
--- show interfaces terse irb
--- show configuration interfaces irb
--- show configuration vlans
--- show ethernet-switching table
show bgp summary
- bgp.evpn.0 receives all EVPN routes (LE and SP)
- default-switch.evpn.0 - typ1,2,3 copied here (only LE, no in SP)
- default_evpn.evpn.0 - typ4 copied here (only LE, no in SP)
show route summary
:vxlan.inet.0 - holds the routes to remote VTEPs and uses inet.0 for route selection (because it has : in the name)<\/pre>\n\n\n\n<\/p>\n\n\n\n
OSPF<\/h1>\n\n\n\n
ospf operational
show ospf neighbor
show ospf interface (loopbacks are in??)
show interfaces x | match mtu
show ospf overview
show ospf statistics
set protocols ospf traceoptions file X size 5m files 3 flag all
show log X
show configuration interface Y
monitor traffic interface Y detail matching \"proto ospf\"
request system decrypt password \"xxxx\" (onlu for $8$ or $9$ hashes)
adj state full
show ospf database (* = entries generated by the local router)
show route protocol ospf table inet.0
spf stable: duplicate RID?, flapping links?
routes in RIB: lsdb, asbr over non-bb area, 0\/0 in nssa and stubs, prefix export limit, import\/export policies
- show route table inet.0
- abr: nssa no-summaries -> routes in that area dont see any summary LSA for other areas => you may need to advertise a default (set protocols ospf area X nssa default-lsa default-metric 1)
- show configuration protocols ospf<\/pre>\n\n\n\n<\/p>\n\n\n\n
ISIS<\/h1>\n\n\n\n
(initializing -> mtu issue (at least 1492)
isis operational
show isis adjacency
show isis interface (loopbacks are in??)
show interfaces x | match mtu
show isis overview (if attached bit evaluation disabled -> default route (sent by L1L2) is not installed
show isis statistics
set protocols isis traceoptions file X size 5m files 3 flag error detail flag hello detail
show log X
show configuration interface Y
monitor traffic interface Y detail matching \"proto isis\"
request system decrypt password \"xxxx\" (onlu for $8$ or $9$ hashes)
adj state full
show isis database (* = entries generated by the local router)
show isis route
show route protocol isis table inet.0
spf stable: duplicate NET?, flapping links?
routes in RIB: lsdb, levels?, 0\/0 in l1, prefix export limit, import\/export policies
show route table inet.0
abr: nssa no-summaries -> routes in that area dont see any summary LSA for other areas => you may need to advertise a default (set protocols ospf area X nssa default-lsa default-metric 1)
show configuration protocols ospf
show isis hostname
show route table iso.0 <-- NET addresses!<\/pre>\n\n\n\n<\/p>\n\n\n\n
BGP<\/h1>\n\n\n\n
iBGP
-ibgp established: security policies, fw rules, IGP routing, local address, auth, logs
set protocols bgp group int-group traceoptions file X size 5m files 3 flap open detail
show system connections
-ibgp stable: IGP stable? MTU, TCP MSS
-ibgp adverts: export policy, inactive routes, no-advertise community, bgp family
-ibgp receives: BGP next-hop, recursive routing
-routes in RIB: import policy<\/pre>\n\n\n\nROUTING LOOPS<\/h1>\n\n\n\n
take several traceroute
check where route redistribution takes place
set cli timestamp
show bgp summary (several times to see flapping)
show route received-protocol bgp PEER_IP table x.0 (several times to see flapping)
show route NET\/MASK (several times)
show route hidden detail table x.0<\/pre>\n\n\n\nMPLS L3VPN<\/h1>\n\n\n\n
control plane:
- pe-ce routing protocols
-- show route table inet.0 (for P and PE Lo)
-- show isis database detail
- ldp\/rsvp
-- show route table inet.3 (table with ingress LSPs from this router
-- show route table mpls.0 (next LSR in each LSP). Loop-up LSPs and VPN labels
-- show ldp session\/neighbor
-- show ldp database
*RT mismatch -> drop (no stored neither hiddne => go to the other peer and show route advertisedd-protocol bgp PE-IP)
- bgp
-- show bgp summary
-- show route table X.inet.0 (l3vpn table)
-- show route advertising-protocol bgp PE-IP
-- show route receive-protocol bgp PE-IP (is bgp.l3vpn.0 table???)
-- show route receive-protocol bgp PE-IP detail table bgp.l3vpn.0
-- *vrf-table-lable -> a LSI logical interface label is created and mapped to the VRF routing table.
data plane:
-- ping mpls
-- traceroute mpls ldp PE-Lo<\/pre>\n\n\n\n<\/p>\n\n\n\n
Stateful FW<\/h1>\n\n\n\n
srx -> session-based
- show security flow status -> flow\/packet-based
- show security flow session
- set security flow traceoptions file X size 2m files 3 flag basic-datapath packet-filter f1 protocol icmp destination-prefix FW-IP\/32
- show interface X -> check security zone (Null drops all packets)
- show interface x detail | find Flow
- show security zones NAME
- show security screen statistics zone untrust | except 0
- show log messages | match RT_SCREEN or RT_IDS
- show security screen ids-option untrust-screen
- show configuration security screen
- set security zones security-zone X host-inbound-traffic system-override traceroute ping \u2026<\/pre>\n\n\n\nCHASSIS CLUSTER<\/h1>\n\n\n\n
OOB<\/h2>\n\n\n\n
fxp0: oob mgmt interface
fxp1\/em0 - cp interface
fab - dp interace
swfab - switching dp interface
reth - redundant interface
show chassis cluster status
show chassis cluster interfaces
show interfaces terse | grep fxp
show configuration | display set | match apply-groups
set apply-groups ${node}
show system users<\/pre>\n\n\n\nfabric link<\/h2>\n\n\n\n
show chassis cluster interfaces
show chassis cluster status
show chassis cluster statistics (sent\/received??)
show interfaces terse | grep fab<\/pre>\n\n\n\ndata-plane<\/h2>\n\n\n\n
show chassis cluster status
show chassis cluster interfaces
show interfaces terse | grep reth
show configuration chassis cluster
*routing table is not running in secondary node<\/pre>\n\n\n\nCoS<\/h1>\n\n\n\n
CoS-Based IPSec VPN<\/h2>\n\n\n\n
show security ike security-associations
show security ipsec security-associations
show security ipsec inactive-tunnels
show configuration security ipsec vpn X
show class-of-service forwarding-class<\/pre>\n\n\n\nCoS implementation<\/h2>\n\n\n\n
<\/p>\n\n\n\n
show interfaces X detail | find Egress -> check counters in queues
show configuration firewall family inet -> check filtes
show interfaces filters | match X
show class-of-service interface Y
show class-of-service rewrite-rule type dscp
scheduler-map X | match \"Scheduler|Transmit\"
classifier type dscp name X<\/pre>\n","protected":false},"excerpt":{"rendered":"SWITCHING inter-vlan- verify network settings for each user: ip, mac, gw- verify gw reachability- verify MAC table: show ethernet-switching table (control plane) show route forwarding-table family ethernet-switching (forwarding plane – PFE) both should be in sync- verify STP: show spanning-tree interface- verify vlan-interface association: show vlans X [detail]- verify interface config: show configuration interface XXX- … Continue reading “Advance Junos Troubleshooting”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-1947","post","type-post","status-publish","format-standard","hentry","category-networks"],"_links":{"self":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts\/1947","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/comments?post=1947"}],"version-history":[{"count":4,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts\/1947\/revisions"}],"predecessor-version":[{"id":1951,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts\/1947\/revisions\/1951"}],"wp:attachment":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/media?parent=1947"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/categories?post=1947"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/tags?post=1947"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}