Juniper

Install firmware updates

In this article I want to show you how to run a firmware update on a juniper router.
First you have to download the firwmare.
In this case EX3300.

You can run the firmware update using a USB stick that is FAT32 formated that is exactly 2GB sized.
Using a 2GB Fat23 partition will not do the trick and you can end up crunching the filesystem of the router...

Alternativley you can choose your a Web- or FTP server to be the source of the update files.
I choose to use the HFS Webserver, feel free to use what ever suites you best.

Firmwareupdate

After installing the webserver, load the .tgz firmware file into its root directory and copy the link to it.
As you can see on the switch I am checking the currently running firmware version (12.3R12-S7)

> show version

After that I start the installation of the new firmware

> request system software add <http link>

Depending on the device this process can take 15 minutes or more.
When the upgrade is complete you will be asked to reboot the device.
Please do not just pull the cable, give it a graceful reboot.
(Trust me)

> request system reboot

When your reboot is done, check that the new version (15.1R6-S3) has been applied.

Cheers,
Ori

by Ori

Find connected devices

In this article I want to show you how you can find devices that are attached to a juniper router.

Search the MAC table

You can print out the entire mac table using this command

> show ethernet switching table

If you want to know what is connected to a specific interface use this

> show ethernet switching-table interface ge-0/0/2

If you know the MAC of the device you are looking for, this command will find it

> show ethernet switching-table | match <string>

If you only want to see what devices are connected to the Gigabit Ethernet interfaces do this
> show ehternet switching table | match ge-

Be careful... if you use aggregated interfaces (AE) or glas modules (SFP) this search pattern would not work.

Cheers,
Ori

by Ori

Vlan configuration

In this article I will show you how to configure V-Lans on a Juniper Router.
VLANs are virtual networks defined by the IEEE Standard 802.1q.

The idea is to run separated networks on the same physical infrastructure.
This gets accomplished by adding another 32Bit to the frame on layer 2, containing the V-Lan related information.

It is important that all devices that are supposed to forward tagged frames do support 802.1q.
If a device is unable to handle frames of that size it will simply destroy them.

Creating a VLAN

First we check if V-Lans on that device already exist.

#show vlans

Now we define two V-Lans named first und second.
First is going to be assigned the VLAN-ID 10.
Second is going to be assigned the VLAN-ID 20.

# set vlans first vlan-id 10
# set vlans second vlan-id 20

Lets take a look at the V-Lan config.

root# show vlans
default {
    l3-interface vlan.0;
}
first {
    vlan-id 10;
}
second {
    vlan-id 20;
}

This output should be pretty self explanatory.
Before making an interface become a member in one of these V-Lans we should take a look at the difference between tagged and untagged interfaces.

Tagged and untagged interfaces

V-Lans can be configured in two modes on an interface.

Access (native / untagged):

• Every interface can only be of type Access for one V-Lan
• An Access Interface receives untagged traffic and attaches a V-Lan tag to that traffic before forwarding it
• You will usually use this setting to connect clients or devices that are unable of speaking V-Lan

Example: Gigabit Ethernet Interface 10
This interface will receive untagged (normal) traffic and forward it with the V-Lan Tag "10".
The V-Lan Tag will removed before sending traffic outbound.
For example broadcast traffic for V-Lan 10 or traffic for a device located behind this interface (ARP table).
This way the device on the other end can understand the traffic and does not even know it ever had a V-Lan tag attached to it.

ge-0/0/10 {
    unit 0 {
      family ethernet-switching {
          vlan {
            members first;
          }
      }
   

Trunk (tagged):

• If an Interface is defined as a trunk it receives and sends tagged frames for certain V-Lans
• Usually interfaces that have other V-Lan capable devices on the other end get defined that way

Example: Gigabit Ethernet Interface 12
This interface receives tagged traffic for the V-Lans 10 and 20.
If traffic that is supposed to be sent to that network, the V-Lan Tag will be attached to the frame.

Important: A Trunk Interface does not need to be a member in all V-Lans!

ge-0/0/12 {
    unit 0 {
      family ethernet-switching {
         port-mode trunk;
            vlan {
               members [ first second ];
            }
         }
      }
   }

Setting up an IP address on a V-Lan Interface
Please make sure to make the Unit ID the same as th VLAN ID to minimize confusion!!
Your colleagues will hate you if you don't.

At first we will configure a virtual interface with an IPv4 address

#set interface irb unit <UNIT ID> family inet address <IP/subnetmask>

Then we make that interface a member of a V-Lan
# set vlans <VLAN NAME> l3interface irb.<Interface ID>

Then we define this interface to be of type access in this V-Lan

# set interface ge-0/0/2.20 family ethernet-swtiching port mode access

In this case the commands could look like this:

# set interface irb unit 10 family inet address 10.0.10.1
# set vlans 10 l3interface irb.10
# set interface ge-0/0/2.10 family ethernet-swtiching port mode access

If we now connect a cable to the interface ge-0/0/2 our traffic will be sent to V-Lan 10.
Since the we configured the router to have an IP address on the layer 3 interface irb.10, we can now connect to it via ssh on 10.0.10.1.

Cheers,
Ori

by Ori

Setting up link aggregation

Bundeling multiple physical connections to maximize troughput and get redundency is called Link Aggregation.

!WARNING, Terminology-fu! 
Networking equipment manufacturers do not use the same technical terms.
For example HP calls aggregating interfaces "Trunking" and aggregated interfaces a "Trunk".
"Trunking" is a term used by Cisco and Juniper in V-Lan (802.1q) to describe interfaces that are allowed to forward V-Lan traffic.
Such an interface is referred to as a "Trunk Port", while HP calles this a "Tagged Interface".
If you are in a homogenic network eqipment envoirement that is passing V-Lan tagged traffic over aggregated interfaces you really have to watch your lingo!
(Especially if multiple parties are involved!)

The common protokoll used here is the Link aggregation control protocoll (LACP).

Setup

In this example I show you how the Interfaces 22 and 23 on a Juniper EX3300 POE+ can be aggregated to one AE.

At first connect to the serial port of the Junipers switch and start it.
This can take a few minutes.

We must allow aggregated interfaces to exist in this chassis (a one device chassis in this case).
Set the device-count from 0 up to 1 (or more).

set chassis aggregated-devices ethernet device-count 1

Delete the configuration of the interfaces ge-0/0/22 and ge-0/0/23.

delete interfaces ge-0/0/22 unit 0
delete interfaces ge-0/0/23 unit 0

After that we definieren the interfaces as ae0 and to be a type 802.3ad (Link Aggregation)

set interfaces ge-0/0/22 ether-options 802.3ad ae0
set interfaces ge-0/0/23 ether-options 802.3ad ae0

Then we give an IP address to ae0 .
set interfaces ae0 unit 0 family inet address 10.10.60.2/30

Finally we have to let the Juniper switch know that LACP gets used on ae0.

set interfaces ae0 aggregated-ether-options lacp active

Jetzt können wir noch testen, ob das Interface hochgefahren ist (up up) und einen Ping absetzen.

show interfaces terse | match ae0
ping 10.10.60.1

Cheers,
Ori

by Ori

Configure an IP Address on an Interface

In this article I will show you how to set an IP Address on an interface.
Before we do this however let me tell you something about Interface Families.

Interface Familien

An interface in Juniper has to be defined as a member of an Interface Family.
What configuration can be set on an interface is depending on what Familiy it is a member of.

Possible Families are are:

• inet → IPv4
• inet6 → IPv6
• iso → IS-IS (routingprotokoll, simmular to OSPF)
• ethernet-switching → Layer 2 Lan Switching
• mpls → Label Switching (Layer 2 Switching)

When I sayed that we were going to give the Interface an IP Address I have not been percize enaugh.
We are going to give the Interface an IPv4 Address.

Setting the IPv4 Address

At first we change into the configuration mode.
Here I am checking the current configuration of Interface ge-0/0/1.

Since there already is an IP Address on the Interface I am deleting it.
Since your system has been reset you can skip this part.

Afterwards I set the IP Address using the command:

set interfaces ge-/0/0/1 unit 0 familiy inet address <IP Adresse>

Then apply the changes with the commit command.
In the gif below I am running a constant ping against the interface so you can see when the changes are in effect.

Cheers,
Ori

by Ori

03_Basic configuration

In this article I want to show you how to do a basic configuration of a juniper router.
You should be connected to the Routers CLI.

Resetting the Router

The first thing we will do is reset the router to the factory defaults.
To do this type in operational mode request system zeroize.

This can take 10 Minutes or longer.

Change the Passwort

When the system has been resetted we will change the root password.
Do this by using the command set system root-authentication plain-text-password in config mode.

Don't forget to commit, otherwise your changes will not have any effect!

Cheers,
Ori

by Ori

02_The CLI

The CLI or Command Line Interface is a textbased konfiguration utility.
With it you can get information about the current konfiguration and staus of the device or change the configuration.

Basics

When you are connected to the Router your prompt looks something like this.

Root is the user you are logged in with and you are working on Routing Engine 0.
To start the CLI simply type cli.

There are two modes in wich you can operate, operational and configuration.
You will always enter the cli in the operational mode.

In operational mode you prompt is > and in configuration mode it is #.

In the operational mode you will get informations on the current state of the Router like:

• What does the current mac address table look like
• How much Watt is used on Interface ge-0/0/3 over POE right now?

In the configuration mode you can check and change the configuration:

• What is the configuration on Interface ge-0/0/3?
• Change what v-lans are tagged on Interface ge-0/0/3

Changes to the config are not live on Juniper!
You change whats called a candidate config.
To let the changes take effekct you have to run the commit command.

Finding Commands

In both modes you have a lot of commands you can choose from.
Wich ones is depending on what device you have and firmware version you have isntalled.

You can list all available command in the mode you are currently in with ?.

To see what parameters a command has you can type another ? after it.
< [Enter]> means that the command can be executed at this point.

If you want to get more information regarding a command you can use the builtin help.

Help Apropos <string>
Is listing ALL possible commands containing the searchstring.
Is capable of regex.

• Help Apropos vlan → is finding very much
• Help Apropos „*vlan “ → is finding only what is ending in vlan
• Help Apropos „ vlan „ → is finding only "vlan" as a single word

Help Refference <statement-name>
Same as manpage

• Help Refference snmp alarm → dscribes function and syntax
• Help Refference ospf area → describes syntax and options

Help Topic <word>
Info about usage guidelines

• help topic interfaces family → explains how to configure protocol families on Juniper Interfaces

Cheers,
Ori

by Ori

01_Connect to the CLI

To configure a Juniper router you have to connect to the Command Line Interface.
In this article I will show you two ways to do this.

Mit der CLI Verbinden

To start the CLI you will have to connect via SSH or over Console Cable.

If the Juniper device already has an IP Address and you want to connect over SSH the linux terminal brings that out of the box.
On windows you can use Putty or Bash from the Linux Subsystem for Windows.

The other option is using a serial cable and possibly a USB Serial Adapter.

Connect the serial cable to the console port of the device and the other end to your laptop

Diffrent then for example on cisco devices the console ports often are in the back.
If they are mounted in a 19" rack this can mean that they are hard to reach.

To connect to a divice via Serial you have to know what COM Port they are on.
In Windows you can check Device Management by pressing Windows+r > devmgmt.msc.

After that you have to change the Serial Settings in Putty.
The other Serial options like baudrate are fine.

After that you can connect to the router using Session > Serial.

In Linux you can install minicom to connect to the router using the serial adapter.

sudo apt-get install minicom

After you have connected the serial cable using USB you can check dmesg for the new USB device.

dmesg | grep USB

Here you will find [...] now attached to TTYUSB [...] followd by a number.
Now start serialcom and select the serial device /dev/ttyUSB<number>

serialcom -s

Cheers,
Ori

by Ori