7th April 2015 Juniper Troubleshooting Commands
Managing configuration
>configure exclusive ~ to prevent others modifying the while in configuration mode
4# status ~ show users currently logged in
# compare (filename | rollback n)
ficommit | display detail ~ debug commit
ficommit check
#commit comment
##commit confirmed
commit at [tt:mm | yyyy-mm-dd hh:mm | reboot], to cancel:
>elear system [commit | reboot ] - to cancel scheduled state:
>show system commit
>show configuration ....
Hload (set) {merge | replace | override } {relative} [terminal | file] ~ paste - Ctrl+D to end
itshow | # compare (filename | rollback n)
# show| display set
#show| display changed
# show| display detail
#show | display omit statement
Configuration modification commands:
#annotate “evox” ~ annotate part of configuration
#activate/deactivate
Hcopy / delete / rename — works with wildcards, e.g. delete fe*
rename ~ string in configuration
replace pattern
fiprotect / unprotect a statement
He
#iquit
configuration-mode
>show system rollback 10
>show system rollback compare 10 12
>show system commitSystem:
>show version {detail}
>request system reboot | power-off
file [copy | list | delete | show | rename ]
>show system storage
>show chassis hardware detail
>show chassis alarms
>show chassis environment
>show chassis craft-interface — show router LED alarms
>show configuration | display detail
>show system users — who is logged in to the system
>request system logout use username — forcefully logout a user
request message all message “log out now”
>show system boot-messages — boot log
Interfaces/Hardware:
Display information about memory, CPU temperature, load and uptime:
>show chassis routing engine
To viw hardware and SFPs installed in a slot:
General hardware overview
> show chassis hardware
Which fpe are in use
> show chassis fpc
To display what details of pic intstalled in a slot:
> show chassis pic pic-slot 0 fpc-slot 0To see light levels for fibre interface:
> show interfaces diagnostics optics
Logging
set system syslog file messages any info ~ to save all log messages to file “messages”
>show log messages | match LOGIN | match “Mar 16”
>file list detail /varilog = Is al (to see permitions, etc.)
>elear log messages - to clear the contents of the messages file
>monitor start messages - live monitoring of messages file
>monitor list
>monitor stop ~ to stop all
For more detailed information about a process, under the process level
#tset traceoptions file filenamefil world-readable
#set traceoptions flag all
>help syslog — to show information about syslog messages
Security Policies
View security policy:
> show security policies from-zone Proxy-DMZ to-zone Inside details
To check if traffic will pass through the security policies (useful when not able to
generate traffic):
> show security match-policies from-zone Outside to-zone Inside protocol
xxx source-ip xxx source-port xxx destination-ip xxx destination-port xxxx
General Monitoring and troubleshooting>monitor traffic interface ge-0/0/0
>monitor interface ge-0/0/0
>monitor traffic interface ge-0/2/3 matching "proto 89" write-file ospf.cap - matches proto
89 and writes it in ospf.cap
> show security flow session ... options
>show system statistics all packet types statistics for a device
>test policy
Routing
>show route
>show route terse - nice concise output with the following information: A-active,
Destination, P-protocol, Prf-preference, Metric1,2 Next-hop, AS Patch)
>show route protocol [static|directlospf]
>show route forwarding-table to see active routes in the forwarding table
Troubleshoot OSPF
>show route forwarding-table to see active routes in the forwarding table
>show route protocol ospf
>show ospf overview
>show ospf interaces
>show ospf neighbor
>show ospf dataset det
>show ospf neighbor [extensive]
>clear ospf neighbor [192.168.254.225]
>show ospf statistics
>show ospf interface [extensive]
>show ospf route [abrjasbrlextern]
>show route protocol ospf>show ospf database [summarylbrief]
>show ospf database [router|network|netsummary|asbrsummarylextern|nssa]
>show ospf database router advertising-router 10.0.3.3 detail
>show ospf database router area 0 extensive
>show ospf database area 0 Isa-id extensive
>clear ospf database purge
>show ospf log
>show bgp summary
>show bgp neighbor 1.1.1.1
>show route advertising protocol bap
>show route receiving protocol bap
To find a range of prefixes in the routing table:
>show route 200.10/18
>show route terse - better routing output
Troubleshoot NAT
Source
>show security nat source summary
>show security nat source rule
>show security nat source pool
Static
>show security nat static rule
Destination
>show security nat destination summary
>show security nat destination pool
>show security nat destination rule>show security flow session
Set Firewall filter to count packtes (see further down)
Firewall
>show firewall
>show firewall log
>clear firewall [allfilter-name|counter-name]
>show interfaces filters
>show interfaces policers
>show policer
Set Firewall Filter to count packets through the SR)
terfaces ge-0/0/0
#4 This address was already set on the
interface
# show firewall family inet filter
emp
m1 { 4¥ This is the main term which will count the packers
from
source-address 3.3.3.3;
destination-address 1.1.1.1;
protecel ienp;
then
counter; ## The icmp-counter will show the
bytes/packels incrementing
accept; ## This will accept the packets if you don't want
them to be dropped. You can use - "drop" or "reject" and/or "log"‘Then the Firewall Filter stats can be checked with the
wall filter ienp:
counter Packers
cmp-counter
term default ( ## This term will ensure that the other traffic
Le not affected.
accepts
Packet Flow
Monitor traffic targeting the
>monitor traffi
terface (useful for ping, ssh, etc.)
ce ge-0/0/0 [extensive
ater
Display live sessions:
>show security flow session [destination-po
refix|source-port |source-prefix] {extensive |brief | summ
ation-
Create packet filter and capture packets:
http://kb juniper.net/infoCenterfindex?page=content&id=KB11709
# forwarding-options {
/* Pilename and file properties */
packet-capture
file filename test_capture;
maximum-capture-size 1000;
)
firewall {
/* Capture filter with action sample */
filter CAPTURE_PCAP {
tezm 1 {
from {
source-address {
1.1.1.1/32;
)
destination-address {
2.2.2.2/22;destination-port 22;
}
then {
sample;
accept;
)
term Allow All {
then accept;
)
interfaces {
/* Apply the firewall filter
nput and output direction: */
ge-0/0/0
unit 0 {
family inet {
Filter {
output CAPTURE_PCAP;
}
address 172.16.46.121/24;
File can be found in /var/tmp and opened with Wireshark
> file list /var/tmp/ | match test_capture*
On EX Switches Mirror port traffic to remote capture server:
¥ set analyzer employee-monitor input ingress interfa
0/0/0.0
/* optional sampling ration - 1 of every 200 packets will be
forwared */
2 ge
¥ set analyzer employee-monitor ratio 200
¥ set analyzer employee-monitor output interface ge-0/0/10.0
Alternatively the output can be a viin. Vlan needs to be
specified under VLANs:
# set vlans remote-analyzer vlan-id 999Operational mode flow session monitoring (requires junos 12.1)
>monitor flow file
match pa’
>monitor source-prefix 10.52.20
destin: port 389 protocol
cion->prefix 10.75.0.1 destination
top source-port 12354 temp_test_fi
>show monitor secu:
y flow
>monitor security flow sta
>monitor security flow stop
>clear monitor security flow filter temp_test filter
>file delete /var/log/tmp_test
Tips
>set cli timestamp
#set chassis alarm management-ethernet link-down ignore
> show interfaces | match "(*Physical.* ge-(*Physical.*UpS)"
> show version and haiku
CtrlsR: search history of previous command
use # for the rest ofthe line in a script to be ignored
Use the save CLI pipe to save output to a local or remote file
Type ‘b' at the more prompt to go backwards one page
Type ‘? at the more prompt to search for a string in the rest of the output.
In configuration mode, type rollback ? to see when previous configurations were
committed, and by whom.
In configuration mode, the status command displays who is editing the configuration
and where in the hierarchy they are working,In configuration mode, the delete command with no arguments will delete the entire
configuration hierarchy under the current location,
>show cli history
>help tip cli
To move interface configuration: replace pattern ge-0/0/0 with ge-0/1/0
# wildcard delete interfaces ge-0/0/[2-3]
Junos software contains default configurations in a hidden group named junos-
defaults. To see them, use the show configuration groups junos-defaults command
>test policy policy_name 1.1.1.1/12~run a router through a policy
To see changes from a particular commit at the past:
>show system commit - identify the change you wan to see (e.g. 2), and then
>show system rollback compare 3 4
To see the default Junos preconfigure applications:
user@host> show co:
guration groups junos-def:
applicationsPosted 7th April 2015 by Bal Dos!
Labels: Juniper, JUNOS
BZ view comments
es} Careerchamber.com 27 June 2018 at 19:39
Windows Troubleshooting Windows troubleshooting is kind of essential and
remote choices become indispensable as a result of the convenience of
‘operation and terrific economy that they provide to the pc users. this is often
particularly thus once the users take annual support arrange which supplies
them unlimited support for a hard and fast add. Virus threats, Firewall
Configuration, software system updates, software package conflicts or
incompatiblities, installation of latest software package or hardware followed
by its configuration, installation of latest gadgets or laptop peripheral like
printer, etc area unit a number of the common issues solved by the businesses
UN agency give laptop troubleshooting service.
Reply
Enter your comment.
3 Comment as: , Sign out
Notify me