Professional Documents
Culture Documents
12.b
Student Guide
Volume2
Juniper Networks reserves the right to change. modify, transfer. or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. TheJunos operating system has
no known time-related limitations through the year 2038. However. the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an
agreement executed between you and Juniper Networks, or Juniper Networks agent. By usingJuniper Networks software, you indicate that you understand and
agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper
Networks software. may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should
consult the software license for further details.
Contents
This three-day course is designed to provide introductory troubleshooting skills for engineers in a
network operations center (NOC) environment. Key topics within this course include
troubleshooting methodology, troubleshooting tools, hardware monitoring and troubleshooting,
interface monitoring and troubleshooting, troubleshooting the data plane and control plane on
devices running the Junos operating system, staging and acceptance methodology,
troubleshooting routing protocols, monitoring the network, and working with JTAC. This course is
based on Junos operating system Release 12.2R2.5.
Objectives
After successfully completing this course, you should be able to:
Reduce the time it takes to identify and isolate the root cause of an issue impacting
your network.
Gain familiarity with Junos products as they pertain to troubleshooting.
Become familiar with online resources valuable to Junos troubleshooting.
Gain familiarity with Junos tools used in troubleshooting.
Identify and isolate hardware issues.
Troubleshoot problems with the control plane.
Troubleshoot problems with interfaces and other data plane components.
Describe the staging and acceptance methodology.
Troubleshoot routing protocols.
Describe how to monitor your network with SNMP, RMON, JFlow, and port mirroring.
Become familiar with JTAC procedures.
Intended Audience
The course content is aimed at operators of devices running the Junos OS in a NOC environment.
These operators include network engineers, administrators, support personnel, and reseller
support personnel.
Course Level
Junos Troubleshooting in the NOC is an introductory-level course.
Prerequisites
Students should have basic networking knowledge and an understanding of the Open Systems
Interconnection (OSI) reference model and the TCP/IP protocol suite. Students should also attend
the Introduction to the Junos Operating System (IJOS) course and the Junos Routing Essentials
(JRE) course, or have equivalent experience prior to attending this class.
Day1
Chapter 1: Course Introduction
Chapter 2: Troubleshooting as a Process
Lab 1: The Troubleshooting Process
Chapter 3: Junos Product Families
Lab 2: Identifying Hardware Components
Chapter 4: Troubleshooting Toolkit
Lab 3: Monitoring Tools and Establishing a Baseline
Day2
Chapter 5: Hardware and Environmental Conditions
Lab 4: Monitoring Hardware and Environmental Conditions
Chapter 6: Control Plane
Lab 5: Control Plane Monitoring and Troubleshooting
Chapter 7: Data Plane: Interfaces
Lab 6: Monitoring and Troubleshooting Ethernet Interfaces
Chapter 8: Data Plane: Other Components
Lab 7: Isolate and Troubleshoot PFE Issues
Day3
Chapter 9: Staging and Acceptance Testing
Chapter 10: Troubleshooting Routing Protocols
Lab 8: Troubleshooting Routing Protocols
Chapter 11: High Availability
Chapter 12: Network Monitoring
Lab 9: Monitoring the Network
Chapter 13: JTAC Procedures
Appendix A: Interface Troubleshooting
Franklin Gothic Normal text. Most of what you read in the Lab Guide
and Student Guide.
CLI Input Text that you must enter. lab@San Jose> show route
CLI Undefined Text where the variable's value Type set policy po.licy-name.
is the user's discretion and text
ping 10.0.�
where the variable's value as
GUI Undefined shown in the lab guide might Select File > Save, and type
differ from the value the user £i.lename in the Filename field.
must input.
Technical Publications
You can print technical manuals and release notes directly from the Internet in a variety of formats:
Go to http://www.juniper.net;techpubs/.
Locate the specific software or hardware release and title you need, and choose the
format in which you want to view or print the document.
Documentation sets and CDs are available through your local Juniper Networks sales office or
account representative.
Objectives
We Will Discuss:
Initial inspection and power-on of Junos devices;
General system checks for newly deployed Junos devices; and
Loopback testing of new interfaces.
Initial Installation
• Installation directions and safety guidelines for Junes
devices are provided through hardware
documentation at www.juniper.net/techpubs
• Choose hardware family and then the specific device
• Complete hardware guide available in PDF format
MX240 30 Universal Edge Router
Initial Installation
Installation and safety guidelines are not in the scope of this course. However, the slide shows you how to access detailed
installation guides at the www.juniper.net;techpubs website.
There are also hardware installation computer-based training modules available at the
https://learningportal.juniper.netjjuniper/user_courses.aspx learning portal website. You can easily find the installation
trainings by performing a keyword search using the term installation.
What Is Staging?
What Is Staging?
As shown on the slide, staging is a process used to detect hardware issues prior to any user impacts. It is notable that most
hardware failures occur within the first 48 hours of a device's operation. Th.erefore, it is important to let the hardware
operate for at least two days before acceptance. We recommend that you perform the tests outlined in this chapter twice
once after system power-on and again after two days of continuous operation.
r�
Juniper
" .. ' to 1
.: C !!014Junlp;,Netwctl!s, ltlc.AII njJl!lsreseM><L � Worldwide Education Services WWWJU,Hpernel I 6
��d���.-t� - %1 __,
:i..
Alarm Checking
Once the system has fully powered up and you are able to log into the device using either a console or management port,
check for any chassis alarms with the show chassis alarms command. Do not be alarmed if you notice the alarm
shown on the slide. It is common to see an alarm for the management interface since it may not be connected at initial
power-on.
Note that you can change the default behavior of alarms through configuration. For example, you can choose to display
alarms for any Ethernet interface for which a link is in the down state as shown below.
[edit chassis alarm]
user@mx# show
ethernet {
link-down red;
Check Temperatures
• Sample output from an MX80:
user@mx> show chassis environment
Class Item Status Measurement
Temp ?EM 0 OK
PEM 1 Absent
RE 0 Intake OK 31 degrees c I 87 degrees F
RE 0 Front Exhaust OK 35 degrees c I 95 degrees F
RE 0 Rear Exhaust OK 34 degrees c I 93 degrees F
Rom:ing Engine OK 39 degrees c I 102 degrees F
Routing Engine CPU OK 50 degrees c I _22 degrees "'
TFEB 0 QX 0 TSen OK 36 degrees c I 96 degrees F
TFEB 0 QX 0 Chip OK 46 degrees c I 114 degrees F
TFEB 0 LU 0 TSen OK 36 degrees c I 96 degrees F
TFEB 0 LU 0 Chip OK 49 degrees c / 120 degrees F
TFEB 0 MQ 0 TSen OK 36 degrees c I 96 degrees F
TFEB 0 MQ 0 Chip OK 44 degrees c / 111 degrees F
TFEB 0 TBB PFE TSen OK 34 degrees c I 93 degrees F
TFEB 0 TBB PFE Chip OK ·"- degrees c I _Q7 degrees F
a�
TFEB 0 TFEB PCIE TSen OK 37 degrees c I 98 degrees F
TFEB 0 TFEB PCIE Chip OK 52 degrees c 125 degrees F
::ans Fan 1 OK Spinning at normal speed
Fan 2 OK Spinning at normal speed
Fan 3 OK Spinning at normal speed
Check Voltages
Interface Testing
The slide highlights the topic we discuss next.
• www.juniper_netjtechpubs/en_US/junos12.3/information
products/topic-collections/nog-interfaces/index.html
• Example continued
2. Clear the interface statistics for the interface under test
user@mx> clear interfaces statistics xe-0/0/0
• Example continued
4_ Verify the appropriate number of packets are sent and
received on the tested interface
• Based on 10x the TIL
Summary
• In this content, we:
• Performed the initial inspection and power-on of a Junos
device
• Performed general system checks recommended for a newly
deployed Junos device
• Determined the status of new interface connections by
performing loopback testing and monitoring
We Discussed:
Performing initial inspection and power-on of a Junos device;
How to perform general system checks on a newly deployed Junos device; and
How to perform loopback testing on an optical interface.
Review Questions
1. What is staging?
2. What are three critical directories to check with the
show system storage command?
3. When doing loopback testing on an Ethernet
interface, why must you configure a static ARP
entry?
Review Questions
1.
2.
3.
2.
Among orhcr checks, you should verify the I (root), I config, and /var directories arc present and mounted in the output of the
show sy ste1n storage co011nand.
3.
You use a static ARP entry to associate the simulated remote destination IP address with rhe manually-configured MAC address on the
interface. This is required because an Ethernet interface will not send packets to itself and an ARP reply is required before the interface
will send the ICMP echo requests required for rhe test.
Objectives
We Will Discuss:
How to troubleshoot OSPF;
How to troubleshoot BGP;
How to troubleshoot routing loops; and
How to troubleshoot route oscillation.
�Troubleshooting OSPF
• Troubleshooting BGP
• Troubleshooting Routing Loops and Route Oscillation
Troubleshooting OSPF
The slide lists the topics we will discuss. We discuss the highlighted topic first.
OSPF Areas
• Areas
• Single AS can be divided into smaller groups called areas
• Reduces the LSDB because LSA flooding is now constrained
to the area
• Routers maintain a separate LSDB on a per-area basis
• Each LSDB within an area still must be identical on all routers
• Special OSPF area called the backbone area
• Backbone area (0.0.0.0) distributes routing information
between areas
• All other OSPF areas must connect to the backbone area
• All user traffic from one area to another must traverse the
backbone
OSPFAreas
Using areas achieves the OSPF hierarchy. As mentioned previously, areas reduce the size of the LSDB on an individual router.
Now, each router maintains a separate LSDB for each area to which it is connected.
Backbone Area
To ensure correct routing knowledge and connectivity, OSPF maintains a special area called the backbone area. This backbone
area is designated as area 0. All other OSPF areas must connect themselves to the backbone for connectivity. All data traffic
between OSPF areas must transit the backbone.
,-,-�---""""
1 ., ' �
:'c:w�; Jun1pe,���.ridttS�
��-11.:i-.. ""'�- .c!&� t -- -
JLJnf�
-
WorldwideEducationServices
A
www,un,pernet Is
Clearing Adjacencies
• Clearing adjacencies:
• Use the clear ospf neighbor command to clear
OSPF adjacencies:
user@router> clear ospf neighbor 192.168.254.225
Clearing Adjacencies
Use the clear ospf neighbor command to clear OSPF adjacencies. Note that in most cases the adjacency should reform
immediately.
• OSPF Adjacencies
• No neighbor
• Physical and data-link-layer connectivity
• Mismatched IP subnet, subnet mask (on multi-access links). area
number. area type. authentication. hello or dead interval, or
network type
• Stuck in two-way state
• Normal for DR-other neighbors
• Stuck in exchange start
• Mismatched IP MTU
OSPF Tracing
• Trace OSPF to gain insight into what the protocol is
doing
•Atypical tracing configuration:
[edit protocols ospf]
user@router# show
traceoptions {
file ospf-trace;
flag error detail;
flag hello detail;
flag lsa-update detail;
IGPTracing
To perform debugging functions on the OSPF routing process, use the Junos OS traceoptions function. The trace output (debug
information) is directed to the named log file, which is stored in the
/var/log directory on the router's storage space. You can view the log file using themonitor start or show l.og operational
mode commands. In addition to specifying the trace file, you must also tell the router what information you want to trace by
specifying one or more fl.ag keywords.
While you can only direct tracing to a single file, you can trace many options by using the fl.ag keyword multiple times. In
addition, you can add granularity by using the detail., receive, and send flag modifiers.
Continued on the next page.
Troubleshooting BGP
The slide highlights the topic we discuss next.
What Is BGP?
• BGP defined
• Is an interdomain routing protocol that communicates
prefix reachability
• Is a path-vector protocol
• Views the Internet as a collection of autonomous systems
• Supports CIDR
• Exchanges routing information between peers
• Is defined in RFC 1771
What Is BGP?
BGP is an inter-AS routing protocol and is sometimes called a path-vector routing protocol because it uses an autonomous
system path, used as a vector, to prevent interdomain routing loops. The term path vector, in relation to BGP, means that BGP
routing information includes a series of AS numbers , indicating the path that a route takes through the network.
BGP exchanges routing information among autonomous systems or domains. An AS is a set of routers that operate under the
same administration. BGP routing information includes the complete route to each destination. BGP uses the routing
information to maintain a database of network layer reachability information (NLRI), which it exchanges with other BGP systems.
BGP uses the NLRI to construct a graph of AS connectivity, thus allowing BGP to remove routing loops and enforce policy
decisions at the AS level.
BGP is a classless routing protocol, which supports prefix routing, regardless of the class definitions of 1Pv4 addresses. BGP
routers exchange routing information between peers. The peers must be connected directly for inter-AS BGP routing (unless
certain configuration changes are completed). The peers are Transmission Control Protocol (TCP) peers, which is addressed
later in this chapter.
For more detail information concerning BGP, please refer to RFC 1771.
BGP Fundamentals
• Fundamentals of BGP
• Each BGP update contains one path advertisement and
attributes
• Many prefixes can share the same path
• Routes consist of destination prefixes with an AS path and
other BGP-specific attributes
• BGP compares the AS path and other attributes to choose
the best path
• BGP withdraws unreachable routes
BGP Fundamentals
Routes in BGP consist of destination networks and attributes associated with those routes. Each BGP update contains one path
advertisement. However, many destinations can share the same path.
Once a connection is functioning, BGP sends routes. BGP routes consist of destination prefixes, each associated with BGP
attributes. Some of the complexities of BGP are the variety of these attributes, the order of their execution, and various rules
that can be applied to the attributes. BGP can associate one or more attributes with a route advertisement. Attributes carry
descriptive information about the route and are used in choosing the best path to a destination.
BGP attributes describe the following, as well as other items:
The next hop for a packet sent to a particular destination;
Various numeric-type attributes;
The path through autonomous systems that a routing announcement has traversed to arrive at the destination
where it is now; and
The method of generation for the prefix, or which protocol originated the route.
When two devices communicate through BGP, the receiving device assumes that a route remains active (should the BGP next
hop be accessible) until the originator explicitly withdraws it or until the session is terminated.
• TCP connectivity:
• Idle
• Connect
• Active
• BGP connectivity:
• OpenSent
• OpenConfirm
• Established
TCP Connectivity
To exchange traffic using BGP, we first must establish a TCP connection. The following list shows the possible states for these
sessions:
Idle: This is the initial neighbor state. All BGP connections are refused. BGP waits for a start event, usually caused
by configuring a BGP session or resetting an existing session. The router also might try to initiate a start event.
Connect: In this state, BGP waits for a TCP connection to be completed.
Active: In this state, a TCP timeout has occurred, and the TCP session is not established yet. The ConnectRetry
timer has restarted, and the system continues to listen for completion of TCP session. This state is bypassed when
a TCP session is established before the ConnectRetry expires.
BGP Connectivity
After establishing a TCP session, we can now attempt to create communication at the BGP level. The following list shows the
states for BGP connectivity:
OpenSent: The TCP connection is established and an open message has been sent to the remote peer. BGP waits
to receive an open message from the peer.
OpenConfirm: An open message has been received from the remote peer, and BGP now waits for either a keepalive
message or a notification message. If a keepalive is received, the state machine transitions to established. If a
notification message is received, the state machine transitions to idle.
Established: The BGP peers are fully adjacent and can exchange keepalive, update, and notification messages.
BGP Peering
• BGP sessions are established between peers
• BGP speakers
• Two types of peering sessions:
• EBGP (external) peers with different autonomous systems
• IBGP (internal) peers within the same AS
• IGP connects BGP speakers within the AS
• IGP advertises internal routes
BGP Peers
BGP is a protocol in which routing information exchanges occur between exactly two nodes, called peers. These peers can be
connected either directly or remotely.
.•S•,
I \
\
'
I
l
I
e7�
I
·� [&1. �
..=----------
� -�-------'�
I-�· '��
. �
·•'
- �:�-.��- - e-...:.__
' ' .
re,· · · · · · · ®,':
1 I EBGP, ,..------------------,,
CUstomer AS 1
=
.,, .,e�-- · · · · · =-;e ,
--------------------------------------------------
I
, /
'
\
I l
1
.. · Full-Mesh ,•'1 Router B
Router A •, I . 1BGP . ••
� v
··.. .
..1.·
,.,,,,··
2 255.3/32
�-------------------------------------------------'
AS1
In most cases soft clears are performed to support changes in VPN policy that result in previously discarded prefixes now being
considered a match against one or more locally defined route targets. In a non-VPN context, a soft clear is used to refresh routes
that are not stored in input RIB due to input sanity checks such like AS loop detection. After enabling AS loops support under
[edit routing-options], a soft clear should result in the display of routes that were previously discarded due to an AS
loop condition, without forcing the tear down and reestablishment of the related BGP session.
v:
··.... ., ,
·· ... · ···········........
·
200_0_3_0 24. / ------
NH=10_0_16_2
-- ... ....
... '
Y..
··.. ··.. ., I
., ,,,
···············
200.0.3.0/24,
-------
NH=10.0.16.2
Route Damping
EBGP routes that experience too many state transitions (flaps) in a given period of time are hidden when route damping is
enabled. These routes are displayed with a show route hidden command, along with all other hidden routes. You can add
the detail option to the show route hidden command to determine if BGP damping has caused the route to be hidden.
The show route protocol bgp damping command in conjunction with the suppressed option is even better because
this command displays only those routes that are hidden due to BGP damping.
Use the clear bgp damping command to activate BGP routes that have been hidden because of damping when you believe
that the flapping condition has been corrected, and you do not want to wait for the route's figure of merit to decay by itself.
Tracing BGP
•Atypical BGP tracing configuration:
[edit protocols bgp group ext]
user@router# show
type external;
traceoptions {
file ebgp-trace;
flag open detail;
flag update detail;
peer-as 10;
neighbor 10.0.8.1;
neighbor 10.0.31.1
peer-as 2;
}
• Sample output:
user@router> monitor start ebgp-trace
ebgp-trace ***
Apr 6 16:45:50 bgp_send: sending 45 bytes to 10.0.31.1 (External AS 2)
Apr 6 16:45:50
Apr 6 16:45:50 BGP SEND 10.0.31.2+2541 -> 10.0.31.1+179
Apr 6 16:45:50 BGP SEND message type 1 (Open) length 45
.F.::;>r 6 16:45:50 BGP SEND version 4 as 3 holdtime 90 id 192.168.12.1 parmlen 16
Apr 6 16:45:50 BGP SEND MP capability AFI=1, SAFI=l
BGPTracing
To perform debugging functions on the BGP routing process, use the Junos OS traceoptions feature. The trace output (debug
information) is directed to the named log file, which is located in the
/var I log/ directory on the router's hard drive. You can view the log file using the monitor start or show log
operational-mode commands. In addition to specifying the trace file, you also must tell the router what information you want to
trace. You accomplish this by specifying one or more flag keywords.
While you can only direct tracing to a single file, you can trace many options by using the flag keyword multiple times. In
addition, you can add granularity by using the detail, receive, and send flag modifiers.
Continued on the next page.
• Troubleshooting OSPF
• Troubleshooting BGP
7Troubleshooting Routing Loops and Route Oscillation
RIP-1 R}-�2
�-······················.>� Areao
� �-·-·-·-��
,,r, /�.....I ··
. ''
I . '"'
I
Cif . . . . . . . . . . ��-�[J
i
.
v
/. .',
'.'
I
I
Host-2
RIP-2 R3 R4
0 Directly connected route on R4 is sent to the OSPF routers as an external OSPF route
0 R3 redistributes the external OSPF route into RIP and sends it to RIP-2
G) RIP-2 sends the route to RIP-1. then RIP-1 sends the route to R1
0 R1 redistributes the RIP route into OSPF as an external type 1 OSPF route. R2 and R3
now attempt to forward traffic through R1 to reach Host-2
Host-2
e·· · · · · · · ·�e-- e
Host-1 �RPtoOSPF:
RIP-1 ''\R:t�2
� � -0->
r a
�
:
:
.
· ',, I ',
""" ·. '
/:,.
,..®·. --Q�.-,-iD·
i osPFto_RIP_j ' - .. - '' -
. i c� �o os�� j
,!, "'-� , I 1. � ::_
· ·.�
. ..················.....
...........1------
. . .2
Host-2
RIP-2 R3 R4
·� · • 1721617
Where to Look
Routing loops are usually caused by improper route redistribution. Rl is redistributing OSPF routes into RIP which makes it a
prime candidate for problems . Examining the 172.16.17.0/24 route on Rl reveals that Rl has an OSPF version of the route
and a RIP version of the route. The output also reveals that Rl is preferring the RIP version of the route.
Also, you might need to examine the routing table on R3 if manipulating Rl"s configuration does not resolve the issue. Just
like Rl, R3 is redistributing routing information between OSPF and RIP.
[edit]
user@Rl* show protocols ospf �
export ospf-out;
[edit]
user@Rl* show policy-options policy-statement ospf-out
then {
external
type l;
accept;
JLJnm
"
i;;;,�:.ietwcrb, ...;;_All ilio,ts......-.
� - "'"'l""' "".-:.3'' "'Js '""' : 7 . ;;' ,.,.,.,
'.' �·2014 . .:c , Worldwide Education Services www4un;pe,.net I 57
��-�-.::.:de.,���:.�:;=-+-< ::..Ji--�-:, -- Afi �,= �
then
external
type l;
accept;
Summary
• In this content, we:
• Explained how to troubleshoot OSPF
• Described how to troubleshoot BGP
• Demonstrated how to troubleshoot routing loops
• Discussed how to troubleshoot route oscillation
We Discussed:
How to troubleshoot OSPF;
How to troubleshoot BGP;
How to troubleshoot routing loops; and
How to troubleshoot route oscillation.
Review Questions
Review Questions
1.
2.
3.
Objectives
• After successfully completing this content, you will be
able to:
• Discuss graceful routing engine switchover
• Explain graceful restart
• Discuss nonstop active routing and bridging
• Explain unified in-service software upgrade
We Will Discuss:
Graceful Routing Engine switchover (GRES);
Graceful restart;
Nonstop active routing (NSR) and bridging; and
Unified in-service software upgrade (ISSU).
High Demand
The networks of yesteryear were not vital to the day-to-day workings of a business. During these times, network outages were
common. Small or large network downtimes were the norm. If a network outage were to occur, workers could simply continue
doing there jobs with a slight downgrade in their efficiency. Fast forward to present-day where every second of network
downtime can cost a business millions of dollars. Welcome to the era of five 9s, or 99.999% system uptime. Many providers
and enterprises have service-level agreements (SLAs) that require them provide 99.999% system uptime for their
customers, any less results in a breach of contract and lost money and time.
• What is GRES?
• Dual routing engines required
• Interface and kernel information preserved
• Preservation of the forwarding plane
• Control plane is not preserved
• Main components synchronization, switchover, recovery
Hard drive on Detected EBGP
master RE failed, session failure.
switching to removing BGP
backup RE routes
;,: :::i
GRES Defined
The GRES feature in the Junos OS enables a routing platform with redundant routing engines to continue forwarding packets,
even if one routing engine fails. GRES preserves interface and kernel information. Traffic is not interrupted, however, GRES
does not preserve the control plane. Neighboring routers detect that the router has experienced a restart event and react to
the event in a manner prescribed by individual routing protocol specifications. To preserve routing during a switchover, GRES
must be combined with either graceful restart protocol extensions or NSR. Any updates to the master routing engine are
replicated to the backup routing engine as soon as they occur. If the kernel on the master routing engine stops operating, the
master routing engine experiences a hardware failure, or the administrator initiates a manual switchover, mastership
switches to the backup routing engine.
If the backup routing engine does not receive a keepalive from the master routing engine after 2 seconds, it determines that
the master routing engine has failed and takes mastership. The Packet Forwarding Engine (PFE) seamlessly disconnects
from the old master routing engine and reconnects to the new master routing engine. The PFE does not reboot, and traffic is
not interrupted. The new master routing engine and the PFE then become synchronized. If the new master routing engine
detects that the PFE state is not up to date, it resends state update messages.
Successive routing engine switchover events must be a minimum of 240 seconds (4 minutes) apart after both routing
engines have come up. If the router displays a warning message similar to Standby Routing Engine is not ready
for graceful switchover . Packet Forwarding Engines that are not ready for graceful
switchover might be reset, do not attempt the switchover. If you choose to proceed with the switchover, the PFEs
that were not ready for graceful switchover are reset. We recommend that you wait until the warning no longer appears and
then proceed with the switchover.
GRES Synchronization
Routing Engine O (Master) Routing Engine 1 (Backup)
cl1assisd
® ---- cl1assisd
ksyncd
w ...................... ........................ .
Kernel f'i"
GRES Synchronization
The switchover preparation process for GRES follows these steps:
1. The master routing engine starts.
2. The routing platform processes, such as the chassis process (chassisd), start.
3. The PFE starts and connects to the master routing engine.
4. All state information is updated in the system.
5. The backup routing engine starts.
6. The system determines whether GRES has been enabled.
7. The kernel synchronization process (ksyncd) synchronizes the backup routing engine with the master routing
engine.
8. After ksyncd completes the synchronization, all state information and the forwarding table are updated.
Helper chassisd
Router
4
Kernel
Configuring GRES
• Configuring GRES
• Configure chassis redundancy
[edit]
user@routeri set chassis redundancy graceful-switchover
[edit]
user@router# commit
warning: graceful-switchover is enabled, commit synchronize should be used
commit complete
{master} [edit]
user@routert set system commit synchronize
Configuring GRES
Configuring GRES is a straight forward process in which you simply enable the graceful-switchover option under the
[ edit chassis redundancy] hierarchy level. Once you apply the GRES configuration, notice that the banner changes
to tell you which routing engine you are currently logged in to. The slide depicts that banner for the master routing engine. If
you log into the command-line interface (CU) of the backup routing engine, the banner displays the output of {backup) to
alert you that you are in the backup routing engine. Note that you can log into the backup routing engine from the master
routing engine by using the request routing-engine login other-routing-engine operational command.
Although it is not strictly required, it is highly recommended that you use the commit synchronize command, as noted
by the CU warning, when enabling GRES. Using the commit synchronize command ensures that both routing engines
have the same configuration, which is very important during a routing engine switchover. The slide depicts the use of the
set system commit synchronize command. This command effectively turns the commit command into a commit
synchronize command by synchronizing the configuration between both routing engines when you issue the commit
command.
Note that when you configure GRES, you can bring the backup routing engine online after the master routing engine is
already running. There is no requirement to start the two routing engines simultaneously
Verifying GRES
{backup)
user@router> show system switchover
Graceful switchover: On
Configuration database: Ready
Kernel database: Ready
Peer state: steady state
Verifying GRES
To verify whether GRES is enabled and ready, issue the show system switchover command on the backup routing
engine-this command is not supported on the master routing engine. When the output of the command indicates that the
Graceful switchover field is set to on, GRES is operational. The status of the kernel database and configuration
database synchronization between routing engines is also provided.
Graceful Restart
The slide highlights the topic we discuss next.
[edit]
user@router# set protocols ospf graceful-restart disable
[edit]
user@router# set protocols 1dp graceful-restart disable
I I
processes
cl1assisd -
" 1 - rpd
Kernel
cl1assisd
@
External .� 3
Router
" Kernel
'I'
<p cp cp ·�
I
�
ii ··-··
Packet Forwarding Engine
It-'<'. t> - ' '. • ,0, •
2<1«��.!nc,AllrigMs� 1'* '. JUnm WorldwldeEducatlonServices
=·
www-1uniper..net I 19
2���JE±l"�1')ffjt·"i--::---v?/-"- _ w,m,;,=�= �=·�
Configuring NSR
• Configuring NSR
• Enable GRES
[edit]
user@router# set chassis redundancy gracefu1-switchover
• Enable NSR
[edit]
user@router# set routing-options nonstop-routing
.. ·;,; . .-
',C2!>14Juniper!f�·hlc.AJl"..u,,ts�rved.
� . , Jl:Jnm Worldwide Education Services www;umpernel I 20
f...,.t.,.,� • N,.," ��;i,, t�� ��£,,.,;!--',.' ,,,,z � � � �- �'- � _
Configuring NSR
Configuring NSR is simple and straight forward. First, you must configure GRES, as we discussed earlier. Next, you must
configure NSR by enabling the nonstop-routing option under the [edit routing-options J hierarchy level.
Finally, it is a requirement that you configure the Junos OS to synchronize the configuration whenever you activate the
configuration with the commit synchronize command under the [edit system] hierarchy level.
If you try to commit the NSR configuration without including the commit synchronize statement, the commit fails.
However, if the backup routing engine is down when you issue the commit, the Junos OS displays a warning and commits
the candidate configuration in the master routing engine. When the backup routing engine comes up, its configuration will
automatically be synchronized with the master routing engine.
Although it is not shown on the slide, you can enable the routing platform to switch over to the backup routing engine when
the rpd process fails rapidly three times in succession by including the other-routing-engine statement at the [edit
system processes routing failover] hierarchy level.
Verifying NSR
• Verifying NSR
• Master routing engine
{master}
user@rcuter> show task replication
Stateful Replica�ion: Enabled!+-------�
RE mode: Master
I
Protocol Synchronization Status
Configured protocol
CSPF I
NSR states
Complete
RIP Complete ,..--------ii
BGP Complete
IS-IS Complete
LDP Compiete
Verifying NSR
You can verify NSR operation by issuing the show task replication command on the master and backup routing
engines. Note that the command shows the current state of GRES and the NSR state of the protocols that are configured on
the router. The Synchronization Status field can display the state of NotStarted, InProgress, and Complete
for any configured protocol. If any protocol is not in the Complete state when a switchover event occurs, network topology
and traffic forwarding disruptions occur for the protocols that are not in the Complete state.
You can examine the replication state of BGP in more detail by issuing the show bgp replication command. The
following output displays an example of the command for the master routing engine.
user@router> show bgp replication
Synchronization master:
Session state: Up, Since: 44:07
Flaps: 0
Protocol state: Idle, Since: 14
Synchronization state: Complete
Number of peers waiting: AckWait: 0, SoWait: 0, Scheduled: 0
Messages sent: Open 1, Establish 924, Update 381, Error 60, Complete 114
Messages received: Open 1, Request 1 wildcard 113 targeted, EstablishAck 924,
CompleteAck 114
NSRand BFD
NSRand BGP
Nonstop Bridging
cl1assisd
-- 1 - Layer 2 control protocol process
(12cpd)
cl1assisd
" 3
I Kernel
I Kernel
cp � '
Packet Forwarding Engine
ir;::::�; k-�;��::::���
JUn!Ee[ Worldwide Education Services www,iurriper.net I 27
t-'::iill!ixi:!i!i�:\zlt,&li&\;;a«R, •;; =s!L� -""- �
Configuring NSB
• Configuring NSB
• Enable GRES
[edit]
user@router# set chassis redundancy gracefu1-switchover
• Enable NSB
[edit]
user@router# set protocois 1ayer2-controi nonstop-bridging
Configuring NSB
Configuring NSB is simple and straight forward. First, you must configure GRES, as we discussed earlier. Next, you must
configure NSB by enabling the nonstop-bridging option under the [edit protocols layer2-control]
hierarchy level. Finally, it is a requirement that you configure the Junos OS to synchronize the configuration whenever you
activate the configuration with the commit synchronize command under the [edit system] hierarchy level.
If you try to commit the NSB configuration without including the commit synchronize statement, the commit fails.
However, if the backup routing engine is down when you issue the commit, the Junos OS displays a warning and commits
the candidate configuration on the master routing engine. When the backup routing engine comes up, its configuration will
automatically be synchronized with the master routing engine.
Note that a newly inserted backup routing engine automatically synchronizes its configuration with the master routing engine
configuration.When you configure NSB, you can bring the backup routing engine online after the master routing engine is
already running. There is no requirement to start the two routing engines simultaneously.
Note that if you are using an EX Series Ethernet switch, you enable NSB by configuring the nonstop-bridging option
under the [edit ethernet-switching-options] hierarchy level.
.. I " .
JUnJJ;ef
�M'<-·-_>c -'-- - - - _..., -
• �20.1�'h<nlpo,Networio>,"!';�'�-- . Worldwide Education Services www;un;pe,.net 1 29
-�k�d,..( ""- _,; A ,�= � -
PFEO
Previous
Master RE Junos OS version
(REO) New
Junos OS version
PFE1
Backup RE
(RE1)
PFE2
PFEO
Previous
Junos OS version
New
Junos OS version
PFEl
,.-. - - .....,
I Backup RE I
E
L_� �_J PFE2
I Backup RE
_�E1)
L _J PFE2
PFEO I
L ____ J Previous
Junos OS version
New
Junos OS version
I Backup RE
E
I
L_� �_J PFE2 I
L ____ J
h\ chassisd sends an ISSU_REBOOT message to the FPCs;
0 the FPCs reboot with the new Junos OS image
® 8
After the FPCs reboot, the FPCs send a READY message to the
chassisd process on the master RE; Other processes prepare
for RE switchover
..C2014J"!!lp... �.lnc.AllrialdS"'50fflld..
"'�.J,;t;"' £�· t '� ...
Junm WorldwideEducationServlces
__;,==-----�· � �
WWW.jUll�net 134
I
l ____ J
,--- ----.
I Master RE
I ,-------,
l_�E�_J I PFE2 I
l ____J
Summary
• In this content, we:
• Discussed graceful routing engine switchover
• Explained graceful restart
• Discussed nonstop active routing and bridging
• Explained unified in-service software upgrade
We Discussed:
GRES;
Graceful restart;
NSR and bridging; and
Unified ISSU.
Review Questions
Review Questions
1.
2.
3.
Objectives
We Will Discuss:
How to configure and monitor Simple Network Management Protocol (SNMP);
How to configure and monitor Remote Monitoring (RMON); and
How to use flow monitoring.
SNMP
The slide lists the topics we will discuss. We discuss the highlighted topic first.
SNMP Overview
• What is SNMP?
• Application Layer protocol
• Designed to monitor and manage TCP/IP network devices
• Set of standards for network management
• Protocol
• Database structure specification
• Data Objects
• Monitors various parameters of managed devices
• CPU utilization
• Memory utilization
• Temperature
• Many other items
What is SNMP?
SNMP is an Application Layer protocol that is designed to monitor and manage TCP/IP network devices. SNMP manages
network devices through a set of protocols and data objects, which we discuss in detail in later slides. SNMP also monitors
managed devices for parameters such as CPU utilization, memory utilization, component temperature, and many other
items.
SNMP Architecture
-..
•NMS
Managed Device
• Contains SNMP manager software
••••••••••••••
NMS SNMPAgent
SNMP Architecture
The SNMP agent. which runs on the managed device, exchanges network management information with the SNMP manager
software running on a network management system (NMS), or host. The agent responds to requests for information and
actions from the manager. The agent also controls access to the agent's MIB, which is the collection of objects that can be
viewed or changed by the SNMP manager.
Managed Devices
• What is a managed device?
• Network node that resides on a managed network
• Routers, firewaiis, switches, servers, and much more
• Contains SNMP Agent
• Collects and stores management information
Routers
&---· --
Firewalls Switches servers
;......:...... ...... ......ij.J
" ·: .. ::::::::::=;
.... :
;......:...... .'."""""6
Managed Devices
A managed device is a network node that contains an SNMP agent and resides on a managed network. Managed devices
collect and store management information and make this information available to NMS devices using SNMP. Managed
devices, which are sometimes called network elements, can be routers, access servers, switches, computer hosts, printers,
and many other network elements.
SNMPAgent
-..
• Communicates with the NMS
Managed Device
..............
SNMPAgent
SNMPAgent
An SNMP agent is a network management software module that resides on a managed device. The agent has local
knowledge of management information and translates that information into a form that is compatible with SNMP. In the
Junos OS, the SNMP agent is the SNMP process (snmpd), which runs on the routing engine. It is responsible for collecting
MIB information from various sub-agents and responding to requests from NMS devices. SNMPD is also the process that
sends trap and inform messages to an NMS station.
NMS
Object Identifiers
• Purpose of 01 Ds
• Identifies a managed object within the MIB hierarchy
OMIBTree
0iso{1)
0org{1-3)
D do<I {1-3-6J
D mtemet c1-3_5_1J
D private {1-3.6_uJ
D enterpr;ses {1-3.6_1-4_1J
user@router> show snmp mib get jnxBoxserialNo.O DiuniperMIB{1-3_6_1 -4_1-2636)
DinxMi!Js {1-3.6 1 _ - 4 1_2636
_ _ 3J
jnxBoxserialNo.O = D4889 DinxBoxAnatomy <1-3_5_1_4_1-2636_3_1J
DinxBoxaass c1-3_5_1_4_1-2636.3_1-1i
DinxBoxDescr c1-3_5_1_4_1_2636_3_1-2i
user@router> show snmp mib walk 1. 3. 6 .1. 4 .1. 2636. 3 .1. 3 O l'lXBollSerialNo <1-3_6 _1 1_2636 3
_ _1-3i
i _4_
jnxBoxSerialNo.O = D4889
Purpose of OIDs
An 010 identifies a managed object within the MIB hierarchy. The slide gives a physical representation of the MIB tree and
the OIOs that relate to each specific part of the tree as it branches off to the jnxBoxSerialNo 010. The 010 is represented by
its name or its numeric instance value. The slide depicts the usage of the show srunp mib get and show srunp mib
walk commands to acquire the chassis serial number of an MX80 device.
SNMP Versions
SNMP Versions
The Junos OS supports the three major versions of SNMP; SNMP version 1 (SNMPvl), SNMP version 2c (SNMPv2c), and
SNMP version 3 (SNMPv3). However, the main focus of this section is SNMPv2c and SNMPv3.
SNMPvl is the initial implementation of SNMP that defines the architecture and framework for SNMP.
SNMPv2c is the revised protocol with improvements to performance and manager-to-manager communications. Specifically,
SNMPv2c implements community strings, which acts as passwords when determining who, what, and how the SNMP clients
can access the data in the SNMP agent . The community string is contained in SNMP Get, GetBulk, GetNext, and Set
requests. The agent may require a different community string for Get, GetBulk, and GetNext requests (read-only access) than
it does for Set requests (read-write access). SNMPv2c is not backward compatible with SNMPvl.
SNMPv3 is the most up-to-date protocol and focuses on security. SNMPv3 defines a security model, user-based security
model (USM), and a view-based access control model (VACM). SNMPv3 USM provides data integrity, data origin
authentication, message replay protection, and protection against disclosure of the message payload. SNMPv3 VACM
provides access control to determine whether a specific type of access (read or write) to the management information is
allowed. SNMPv3 is backward compatible with SNMPvl and SNMPv2c.
USM
USM uses the concept of a user for which security parameters are configured for both the agent and the manager. Messages
sent using USM are better protected than messages sent with community strings, where passwords are sent in clear-text.
With USM, messages exchanged between the manager and the agent can have data integrity checking and data origin
authentication through Message Digest 5 (MD5) or Secure Hash Algorithm (SHA). USM protects against message delays and
message replays by using time indicators and request IDs. Encryption is also available through AES128, Data Encryption
Standard (DES), or triple Data Encryption Standard (3DES).
VACM
To complement the USM, SNMPv3 uses the VACM, a highly granular access-control model for SNMPv3 applications, Based
on the concept of applying security policies to the name of the groups querying the agent, the agent decides whether the
group is allowed to view or change specific MIB objects, VACM defines collections of data, groups of data users, and access
statements that define which views a particular group of users can use for reading, writing, or receiving traps and informs.
VACM consists of two configuration trees: security-to-group and access. Security-to-group is where users are assigned to
groups based on security-model. USM, v2c, and vl are supported security-models. USM uses the USM security model. V2c
and vl use a simple community string as the user name. Users are assigned by using the user from the USM configuration
under the security-name option. Each user can only be assigned to a single group.
Access defines groups which contain a single security model, multiple security levels and a single read, write and notify view
for each security level.
Spoof Trap
• Spoofing SNMP traps
• The Junos OS allows for trap messages to be spoofed to test
configuration and NMS applications
user@router> request S�lflP spoof-trap ?
Possible comple�ions:
<trap> The name of the trap to spoof
adslAtucinitFailureTrap
adslAtucPerfESsThreshTrap
• You can also set specific values and instances of the objects
in the trap message
user@router> requ.est smnp spoof-trap linkup variable-bindings "ifindex[so-1/1/0. OJ = so-
1/1/0. 0, ifAdmiilStatus[so-1/1/0.0] = 1, ifOperStatus[so-1/1/0.0] = 2"
Spoofing a Trap
The Junos OS supports the ability to spoof an SNMP trap. Spoofing a trap is useful in testing your SNMP configuration
against the NMS. Without the spoof trap operation, a technician would have to go on site and manually remove
field-replaceable units (FRUs) in a managed device to correctly test the SNMP configuration. Now, with the request snmp
spoof trap command, you can simply name the trap you wish to spoof, and the Junos OS sends the requested trap to the
NMS device.
Also, as the slide depicts, you can add variables to a spoofed trap by using the variable-bindings option. This option
allows you to add in specific information into the trap message which might be helpful in testing your NMS applications.
SNMP Inform
• Details of SNMP inform messages
• Trap messages can be lost
• Inform message is the same as a trap message, but
includes reliability
• NMS returns an acknowledgment for the inform request
• Multiple retries by the agent if no acknowledgment is received
Manag�d Device
NMS
Inform Request
Inform Acknowledgment
Lc2014Junl�«�ln�Allrti,,ts-.. JUnl�
"1C;
WorldwideEducationServlces WWW.j\nlOJ)ernet J 18
'l:..:.J...�»:...J:!.JI,...:_.,£ L,,,__,__ � :.;._r-
trap-group new-group
categories
link;
targets
10.1.1.10;
Configuring a Community
The only required statement when configuring an SNMPv2c community string is the community statement with the
community name. If the community name contains spaces, you can enclose the community name in quotation marks.
snmp-community 1 {
community-name SECRET-DATA
security-na.�e jtnoc; Matches security name
Wag community-tag;! with the target
parameters
Tag referenced in
target-address
configuration
view jnxltlarms {
oid 1.3.6.1.4.1.2636.3.4 include;
target-parameters tpl {
parameters {
message-processing-model v3;
security-model usn;
security-level privacy;
security-name j�noc;
notify-fil�er nf2;
privacy-des {
privacy-key
1
'$9S6rhU/0BIEceK8369puBEhVws4GDqmfF69.mQn9Cu0R.hSyvW8X7Nbsp0BEcSMWZUDjHmf5F9tu3nreKMXx.Ndb
s2aDik.fTiHtuOBSyaZGU.Pz36CA03ncyeKx7Hq.PFn01RrlM5QSrKMXxUjiHqfQFn/tu6/0IEcleUjiqTzFn/Cp
0aZDkPfn6WLX7bs�•; ii SECRET-DJ!.�TA
remote-engine 666A61736B66313233316A666A61736C
user Userl {
authentication-none;
privacy-none;
security-name none
group system;
security-model v2c {
security-name public
group v2;
security-level none
read-view box;
notify-view all;
Engine ID: 81 00 Oa 4c 04 64 64 64 64
User Auth/Priv Storage Status
UNEW md5/none nonvolatile active
Group name Security Security Storage Status
model name type
gl usm userl nonvolatile active
g2 usm user2 nonvolatile active
g3 usm user3 nonvolatile active
Access control:
Group Context Security Read Write Notify
prefix model/level view view view
gl usm/privacy vl vl
g2 usm/authent vl vl
g3 usm/none vl vl
•SNMP
7RMON
• Flow Monitoring
RMON
The slide highlights the topic we discuss next.
RMON
• What is RMON?
• Monitors objects on managed device
• Warning sent if value exceeds a defined range
• Uses MIS to store OIDs
Bandwidth for an
interface
exceeded
Managed Device configured value.
NMS Sending RMON
[:J
-RM _ONA_larm_
I M I
What Is RMON?
The Junos OS supports the RMON MIB (RFC 2819), which allows a management device to monitor the values of MIB objacts,
or variables, against configured thresholds. When the value of a variable crosses a threshold, an alarm and its
corresponding event are generated. The event can be logged and the SNMP agent can generate a trap.
An operations support system (OSS) or a fault-monitoring system can be used to automatically monitor events that track
many different metrics, including performance, availability, faults, and environmental data. For example, an administrator
might want to know when the internal temperature of a chassis has risen above a configured threshold, which might indicate
that a chassis fan tray is faulty, the chassis air flow is impeded, or the facility cooling system in the vicinity of the chassis is
not operating normally.
Configuring RMON
• Configuring RMON
[edit srunp rmon]
user@router# show
alam 1 {
variable
sample-type absolute-value;
rising-threshold 800000000; Index number correlate
with event index
rising-event-index 1; numbers
falling-event-index
Options include:
event 1 {
log
ltyFe log-and-trap; I
log-and-trap
none
event 2 {
snmptrap
tyFe log;
Configuring RMON
To enable RMON alarms, you must perform the following steps:
Configure SNMP, including trap groups. You configure SNMP at the [edit snmp] hierarchy level.
Configure events using the CLI at the [edit snmp rmon event] hierarchy level.
Configure alarms using the CLI at the [edit snmp rmon alarm] hierarchy level. These alarms include the
variables to monitor rising and falling thresholds, the sampling types and intervals, and the corresponding
events to generate when alarms occur.
The slide depicts an alarm that monitors the variable ifHCOutlSecRate, which counts the number of bits per second
(bps) that egresses an interface. Then, the interface SNMP index is referenced after the variable. You can determine the
interface SNMP index by simply using the show interface command for the interface in question. Then, the rising
threshold of 800000000 bps, which is about 800 megabits per second (Mbps), is set with a falling threshold of
200000000, which is about 200 Mbps. Then, the rising event index is set to 1 and the failing event index is set to 2, which
relates to event 1 and event 2 respectively. Event 1 is set to record a log message and send a trap whenever the interface
output reaches the rising threshold. Event 2 is set to only record a log message when the falling threshold is passed after the
rising threshold has previously been reached.
Alarm
Index Variable description Value State
1 monitor
ifHCOutlSecRate.579 765136192 rising threshold
Continued on the next page.
Alarm
Index Variable description Value State
1 monitor
ifHCOutlSecRate.579 O falling threshold
Event
Index Type Last Event
1 log and trap 2013-01-18 14:55:07 MST
2 log and trap 2013-01-18 14:55:52 MST
Event Index: 2
Description: Event 2 triggered by Alarm 1, falling threshold (200000000)
crossed, (variable: ifHCOutlSecRate.579, value: 0)
Time: 2013-01-18 14:53:07 MST
Description: Event 2 triggered by Alarm 1, falling threshold (200000000)
crossed, (variable: ifHCOutlSecRate.579, value: 0)
Time: 2013-01-18 14:54:57 MST
Description: Event 2 triggered by Alarm 1, falling threshold (200000000)
crossed, (variable: ifHCOutlSecRate.579, value: 0)
Time: 2013-01-18 14:55:52 MST
•SNMP
•RMON
7Flow Monitoring
Flow Monitoring
The slide highlights the topic we discuss next.
JFlow
• An overview of J Flow
• Keeps track of sampled packets
• Records of sampled packets are aggregated and reported
• Reports are sent to a JFlow collector
• Support for JFlow v5, JFlow v8, JFlow v9, lnline JFlow (v10)
[] JFlow Collector
Packet Header I
Samples I
iO�n��="_<:
I
II! · J
I
-------
1
!
What Is JFlow?
JFlow is the sampling service that is available on Juniper devices. The JFlow service keeps track of the packets treated by the
router on any particular interface and the details of the traffic flow, such as the source address, the destination address,
packets, and byte counts, are aggregated and reported using the JFlow record. The JFlow reporting and the sampling service
will not hinder the traffic forwarded and processed by the router, prior to reporting the JFlow records, the router will sample
the incoming traffic as such eliminating any network delay to jitter introduced on the original flows. An integral part of the
JFlow sampling solution is the JFlow collector which is situated outside of the Juniper device as a separate appliance.
JFlow v5 and v8 are the most common standards today that are supported by most collectors worldwide. Two options of
JFlow v5 and v8 reporting are available, sampling by routing engine or alternatively, by the MS-PIG or MS-OPC. Routing
engine based sampling requires no additional hardware, but it poses resource implications on the routing engine.
Alternatively, using a dedicated MS-OPC or a MS-PIG allocates a separate services plane that eliminates any performance
implications. JFlow v5 and v8 records and templates are slightly different in content, mainly lacking support for 1Pv6 and
MPLS reporting.
With the limitations of JFlow v5 and v8, JFlow v9 introduces a new template to bridge this gap. The templates are backward
compatible across the versions. With flexibly introduced, the Juniper devices must use a MS-DPC or a MS-PIC. JFlow v9 does
not support routing engine based sampling.
Unique to Juniper MX 30 Trio forwarding line cards is inline JFlow, or JFlow v10. Inline JFlow provides increased sampling
capacity with limited forwarding impact. There is no need for additional hardware which transforms any MX 30 based router
into a carrier grade sampling node. Once the MX 30 router samples the traffic using the in line JFlow process, the records are
sent to the JFlow collector using the industry standard IPFIX version 10 format.
[edit services]
user@router# show
flow-monitoring {
version-ipfix
template sample-template
!ipv4-template; !
Use ipv6-template
for 1Pv6 traffic
family inet {
out.put {
flow-server 10.10.10.100
port 2055;
version-ipf:...x {
template {
lsa..rnple-templat.e; I
Referenced
template
inline-jflcw
source-address 10.10.10.1;
Chassis Configuration
Binding the sampling instance to the FPC is an important step. This action tells the Junos OS to use the memory contained in
the MX 3D Trio FPC for the sampling service. To bind an MX 3D Trio FPC to a sampling instance, issue the set fpc
FPC-number sampling-instance instance-name command at the [edit chassis] hierarchy level.
If you are sampling 1Pv4 and 1Pv6 traffic on the same MX 3D Trio FPC, or only 1Pv6, you must allocate MX 3D Trio FPC
memory using the sampling hash tables. You can specify the sampling hash tables by issuing the set
ipv4-flow-table-size va.lue or set ipv6-flow-table-size va.lue commands under the [edit chassis
fpc FPC-number inline-services flow-table-size] hierarchy level. The total number of units used for both
1Pv4 and 1Pv6 cannot exceed 15. Each unit represents 256k of MX 3D Trio FPC memory. If you are only sampling 1Pv4 traffic,
it is not necessary to configure any values for the sampling hash table; all memory resources are dedicated to 1Pv4 sampling.
Note that any change in the configured size of the flow hash table initiates an automatic reboot of the MX 3D Trio FPC.
If you are configuring inline sampling for an MX80 3D router, you do not bind the sampling instance to an MX 3D Trio FPC,
you must bind the sampling instance to the TFEB. The example on the slide shows a sampling instance that is being bound
to the TFEB in slot 0. On an MX80 3D router, the slot option always receives a value of O because there can only be one
TFEB installed in an MX80 3D router.
Continued on the next page.
Port Mirroring
• Port mirroring overview
• Entire packet is sent to an external host or packet analyzer
• Port mirroring takes precedence over sampling
Packet Analyzer
Copy of
Packets
family inet
output I
interface ge-0/0/1.0 I
next-hop 10.10.10.100;
Junm
"' ' 't - ·" "'"*' � 11" "
''C2014Juniper�ln�M·-·-. . WorldwideEducationServlces ---""' I 44
�L����""'--··-,..........._�,.� �- � - � � -
MAC address
IP address of analyzer
of analyzer
child-1
- _ _u_t __p_
�µn _e_r_s- --n
_ a_r-am-,et- p_a_r_e_n_t__l_,;
1-· _s_t_a_n_c_e__
_ ,
p
fa..:rnily inet { Child instance
output {
refers to parent
interface ge-0/0/2.0 {
next-hop 10.20.20.100;
instance for input
parameters
Summary
• In this content, we:
• Explained how to configure and monitor SNMP
• Discussed how to configure and monitor RMON
• Described how to use flow monitoring
We Discussed:
How to configure and monitor SNMP;
How to configure and monitor RMON; and
How to use flow monitoring.
Review Questions
Review Questions
1.
2.
3.
The information contained in the packet header is sent to the JF!ow collector
3.
An SNMP inform message requests a response from the NMS, whereas an SNl'vfi> trap does not request a response from the NMS.
Objectives
We Will Discuss:
How to open Juniper Networks Technical Assistance Center (JTAC) support cases;
How to access support resources;
How to access and use customer support tools; and
How to transfer large files to JTAC.
Support Entitlement
• JTAC support cases is only offered to customers with
a valid maintenance contract
• A chassis serial number is required when opening a case so
support status can be determined
• Details at: http:j/www_juniper_netjsupport/requesting
support_html
Support Entitlement
This slide stresses that Juniper Networks offers support only to customers with valid maintenance contracts, and that you must
provide a chassis serial number when opening a support case so that your support status can be verified. Use a show
chassis hardware command to obtain your chassis serial number:
user@m7i> show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis 37079 M7i
Midplane REV 04 710-008761 CK8606 M7i Midplane
Power Supply 0 Rev 05 740-008537 5240478 AC Power Supply
Routing Engine REV 01 740-011202 1000596020 RE-850
CFEB REV 06 750-010464 CL0791 Internet Processor II
FPC O E-FPC
PIC 0 REV 11 750-002992 CL1404 4x F/E, 100 BASE-TX
PIC 1 REV 10 750-002971 CL0236 4x OC-3 SONET, MM
FPC 1 E-FPC
PIC 2 REV 07 750-009487 CL0970 ASP - Integrated (Layer-2-3)
PIC 3 REV 09 750-009098 CK7181 2x F/E, 100 BASE-TX
Opening a Case
Opening a Case
Customers can open support cases using the Case Manager website, or over the telephone. Note that you should always follow
up a Priority 1 case with a phone call to JTAC, even when you opened the case using Case Manager.
Case Management
• Case management details are provided at:
https:j/www.juniper.net/support/guidelines.html
• Definition of case priorities, escalation, support levels, RMA
handling, standard warranty, and gray market inspection
procedures
• Case priority is mutually agreed upon between customer and JTAC:
Priority 1 = Critical. Priority 2 = High, Priority 3 = Medium.
Priority 4 = Low
• Escalation management defines systematic escalation to
ensure that the appropriate resources within Juniper
Networks are used to resolve outstanding technical
problems as efficiently as possible
• Manual escalation available as well (KB17701)
Case Management
Case management details and procedures are provided at https://www.juniper.net;support;guidelines.html. This document
defines case priority levels, escalation management, warranty information, and so forth.
When you contact JTAC, a member of our support staff will work with you in assigning mutually agreeable priority levels to your
problem that will be reflected in the support case opened on your behalf. The priority levels are the following:
Priority 1 (Critical): Catastrophic impact to business operations. Examples of Priority 1 issues include network or
system outage that cause customers to experience a total loss of service.
Priority 2 (High): Significant impact to business operations. Examples of Priority 2 issues include network or system
events that cause intermittent impact to end customers.
Priority 3 (Medium): Limited impact to business operations. Examples of Priority 3 issues include network events
that result in only limited impact to end customers.
Priority 4 (Low): No impact to business operations. Examples of Priority 4 issues include information requests.
Juniper Networks offers systematic escalation management to customers with current service agreements. This escalation
management ensures that the appropriate resources within Juniper Networks are used to resolve outstanding technical
problems as efficiently as possible.
If you feel the problem is not being given the appropriate level of attention, you also have the option to manually escalate
your case using the Escalate This Case link on the case manager site. You will be prompted to list a reason for the
manual escalation. If the case is urgent, it is strongly recommended to call JTAC where you will be able to speak with an
escalation manager.
•·1·"
<<< Please select your product first or se-!ect the By Task tab.
Suppon Tool'5
Customer Support
Er�;.1y,tc,;1 A;re,•-r.;:D'
SUJ)t'k)n Sih,m.:r
Case Manager
Subscribe notifications
Case Manager
Many customers prefer to open and manage their cases with the point-and-click ease offered by the Case Manager (CM)
tool. In addition to opening a case, the CM provides a handy way of tracking the status of your open cases, Return Materials
Authorization (RMA) status, and so forth.
LOGGED IN:
Unread:
, Junos OS Release 12.2 is not
Popular Articles Recently Updated Articles Read r-.,e supported on S Series, J
Series, LNiOOO, and \l\'XC·!Sf,l·
Status 10 Popular Articles 200
Unreao KB7963 Copy tito;s from cn,2 lcc.3t1on to Jnother on a Roullng Engine Unread:
Unread KB11615 Ra1Jting Engine cper2tion and troubleshooting Prcduct Support Tools. Feature
E."";fplorer and Content E;<plorer
Knowledge Base
The knowledge base (KB) located at http://kb.juniper.net provides a key support tool for researching issues or technical
questions. This slide provides an example of a KB search using the keywords VPN Configuration. You can see that the results
are displayed at the bottom of the page.
PR Searches (1 of 3)
• What is a PR?
•APR is the description of a hardware or software defect
• The PR lifecycle is part of the Juniper Networks quality
assurance and software development process
1. A PR is opened and assigned a number for tracking purposes
2. JTAC makes sure Engineering has all the information to understand
and resolve the issue: if necessary. JTAC handles lab reproduction
and on-site troubleshooting
3. Engineering resolves the problem. and asks for verification from
JTAC and System Test (quality assurance). The PR's internal state is
then moved from open to feedback state
4. After the fix is verified. the PR is moved into close state. If the fix is
not complete. the PR is re-opened and sent to Engineering again
A problem report (PR) is the description of an issue, typically a software issue, that must be addressed by the Juniper
Engineering team. The lifecycle of a PR is part of the Juniper software and hardware development and quality assurance
processes. The steps shown on the slide are a subset of the full PR lifecycle, but list the major steps.
PR Searches (2 of 3)
• Structure of a PR
•APR can be summarized into these main fields (some are
optional):
• Number: A unique ID assigned by the Juniper defect tracking
system
• Title: A title of the problem report
• Release note: A summary description for inclusion in the release
notes of affected Junos OS versions
• Severity: This value can be minor (cosmetic or no impact). major
(potential service impact). or critical (must be addressed
immediately)
• Trigger: What causes the problem to manifest itself
• Workaround: When possible, a way to bypass the issue. or prevent
it from having service impact
• Status: Open (still not fixed) or closed (resolved)
• Resolved-in: Releases under which the problem is resolved
The Content of a PR
Among the fields that compose a PR, of particular interest are trigger and workaround; together, they can help you decide
the best way to minimize the impact of a software issue until the network can be upgraded to a release that is not affected.
In addition to those shown on the slide, a PR can also contain a number of additional fields. The full list is available on the
help page of the PR search Web interface.
PR Searches (3 of 3)
• Searching for a known software issue
• Known PRs are accessible using the Juniper Web interface
• You can search using a PR number or keywords
• Website access requires a valid login
• Open PRs affecting a Junos OS version are included
automatically in the Junos OS release notes
• Reviewing the release notes before deploying a new release is an
excellent addition to network operation procedures
• Tips for an efficient PR search:
• Be specific: if you do not get results. remove keywords
• Use the content log messages related to the failure-even if they
are not visible in the PR
• You can use quotes to search for a specific phrase
• You can use + and - to force keyword inclusion or exclusion.
respectively
Translates IOS
configurations to Junos
configurations
Generate IPsec
configurations for SRX
Series devices
destination-address
220.232.29.225/32;
then {
accept;
term T2
then {
accept;
JUNOSe to Junos Translator: Similar to the IOS translator, this tool translates ERX Series configurations to Junos
configurations.
ScreenOS to Junes Translator: This tool translates ScreenOS configurations to Junes configurations used on
SRX Series and J Series devices.
SFTP Example
• Uploading large files to JTAC
SFTP Example
The slide illustrates the procedure for uploading a large file to JTAC directly from a Junos device.
Summary
• In this content, we:
• Learned the recommended procedure to open a JTAC
support case
• Described support resources
• Described the customer support Web site
• Explained how to access and use customer support tools
• Used FTP to transfer large files to JTAC
We Discussed:
How to open JTAC support cases;
How to access support resources;
How to access and use customer support tools; and
How to transfer large files to JTAC.
Review Questions
Review Questions
1.
2.
3.
4.
http//www.juniper.net;techpubs/content
Content Explorer
applications/content-explorer
Feature Explorer http//pathfinder.juniper.netjfeature-explorer
Learning Bytes www.juniper.net;learningbytes
Installation and
www.juniper.net;courses
configuration cours
http://forums.juniper.net;t5/Training-Certification
J-Net Forum
Certification
Certification program
Courses //www.juniper.net;training/technical_education
Translation tools http//www.juniper.net;customers/support/#task
Translation tools: Several online translation tools to help simplify migration tasks.
www.juniper.net
Junos Troubleshooting in the NOC
www.juniper.net